Total
335 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-45925 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2023-02-02 | N/A | 5.3 MEDIUM |
| Observable discrepancies in the login process allow an attacker to guess legitimate user names registered in the BMC. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | |||||
| CVE-2022-3143 | 1 Redhat | 2 Jboss Enterprise Application Platform, Wildfly Elytron | 2023-01-25 | N/A | 7.4 HIGH |
| wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user. | |||||
| CVE-2010-10006 | 1 Jopenid Project | 1 Jopenid | 2023-01-24 | N/A | 7.5 HIGH |
| A vulnerability, which was classified as problematic, was found in michaelliao jopenid. Affected is the function getAuthentication of the file JOpenId/src/org/expressme/openid/OpenIdManager.java. The manipulation leads to observable timing discrepancy. Upgrading to version 1.08 is able to address this issue. The name of the patch is c9baaa976b684637f0d5a50268e91846a7a719ab. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218460. | |||||
| CVE-2019-13599 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times. | |||||
| CVE-2019-13383 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, the Login process allows attackers to check whether a username is valid by reading the HTTP response. | |||||
| CVE-2022-42288 | 1 Nvidia | 2 Dgx A100, Dgx A100 Firmware | 2023-01-23 | N/A | 5.3 MEDIUM |
| NVIDIA BMC contains a vulnerability in IPMI handler, where an unauthorized attacker can use certain oracles to guess a valid BMC username, which may lead to an information disclosure. | |||||
| CVE-2022-48251 | 1 Arm | 20 Cortex-a53, Cortex-a53 Firmware, Cortex-a55 and 17 more | 2023-01-19 | N/A | 7.5 HIGH |
| ** DISPUTED ** The AES instructions on the ARMv8 platform do not have an algorithm that is "intrinsically resistant" to side-channel attacks. NOTE: the vendor reportedly offers the position "while power side channel attacks ... are possible, they are not directly caused by or related to the Arm architecture." | |||||
| CVE-2021-38562 | 3 Bestpractical, Debian, Fedoraproject | 3 Request Tracker, Debian Linux, Fedora | 2023-01-19 | 5.0 MEDIUM | 7.5 HIGH |
| Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm. | |||||
| CVE-2022-4543 | 1 Linux | 1 Linux Kernel | 2023-01-19 | N/A | 5.5 MEDIUM |
| A flaw named "EntryBleed" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems. | |||||
| CVE-2022-4499 | 1 Tp-link | 4 Archer C5, Archer C5 Firmware, Tl-wr710n and 1 more | 2023-01-19 | N/A | 7.5 HIGH |
| TP-Link routers, Archer C5 and WR710N-V1, using the latest software, the strcmp function used for checking credentials in httpd, is susceptible to a side-channel attack. By measuring the response time of the httpd process, an attacker could guess each byte of the username and password. | |||||
| CVE-2016-15015 | 1 Paysafe | 1 Barzahlen Payment Module Php Sdk | 2023-01-12 | N/A | 5.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in viafintech Barzahlen Payment Module PHP SDK up to 2.0.0. Affected is the function verify of the file src/Webhook.php. The manipulation leads to observable timing discrepancy. Upgrading to version 2.0.1 is able to address this issue. The name of the patch is 3e7d29dc0ca6c054a6d6e211f32dae89078594c1. It is recommended to upgrade the affected component. VDB-217650 is the identifier assigned to this vulnerability. | |||||
| CVE-2020-36424 | 2 Arm, Debian | 2 Mbed Tls, Debian Linux | 2023-01-11 | 1.9 LOW | 4.7 MEDIUM |
| An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a private key (for RSA or static Diffie-Hellman) via a side-channel attack against generation of base blinding/unblinding values. | |||||
| CVE-2020-36422 | 2 Arm, Debian | 2 Mbed Tls, Debian Linux | 2023-01-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel allows recovery of an ECC private key, related to mbedtls_ecp_check_pub_priv, mbedtls_pk_parse_key, mbedtls_pk_parse_keyfile, mbedtls_ecp_mul, and mbedtls_ecp_mul_restartable. | |||||
| CVE-2020-36421 | 2 Arm, Debian | 2 Mbed Tls, Debian Linux | 2023-01-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed. | |||||
| CVE-2013-10006 | 1 Ziftrshop | 1 Primecoin | 2023-01-09 | N/A | 7.5 HIGH |
| A vulnerability classified as problematic was found in Ziftr primecoin up to 0.8.4rc1. Affected by this vulnerability is the function HTTPAuthorized of the file src/bitcoinrpc.cpp. The manipulation of the argument strUserPass/strRPCUserColonPass leads to observable timing discrepancy. Upgrading to version 0.8.4rc2 is able to address this issue. The name of the patch is cdb3441b5cd2c1bae49fae671dc4a496f7c96322. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217171. | |||||
| CVE-2021-4294 | 1 Redhat | 2 Openshift Container Platform, Openshift Osin | 2023-01-06 | N/A | 5.9 MEDIUM |
| A vulnerability was found in OpenShift OSIN. It has been classified as problematic. This affects the function ClientSecretMatches/CheckClientSecret. The manipulation of the argument secret leads to observable timing discrepancy. The name of the patch is 8612686d6dda34ae9ef6b5a974e4b7accb4fea29. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216987. | |||||
| CVE-2022-4823 | 1 Instedd | 1 Nuntium | 2023-01-06 | N/A | 5.9 MEDIUM |
| A vulnerability, which was classified as problematic, was found in InSTEDD Nuntium. Affected is an unknown function of the file app/controllers/geopoll_controller.rb. The manipulation of the argument signature leads to observable timing discrepancy. It is possible to launch the attack remotely. The name of the patch is 77236f7fd71a0e2eefeea07f9866b069d612cf0d. It is recommended to apply a patch to fix this issue. VDB-217002 is the identifier assigned to this vulnerability. | |||||
| CVE-2021-4286 | 1 Pysrp Project | 1 Pysrp | 2023-01-05 | N/A | 7.5 HIGH |
| A vulnerability, which was classified as problematic, has been found in cocagne pysrp up to 1.0.16. This issue affects the function calculate_x of the file srp/_ctsrp.py. The manipulation leads to information exposure through discrepancy. Upgrading to version 1.0.17 is able to address this issue. The name of the patch is dba52642f5e95d3da7af1780561213ee6053195f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216875. | |||||
| CVE-2022-41765 | 1 Mediawiki | 1 Mediawiki | 2023-01-04 | N/A | 5.3 MEDIUM |
| An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes the existence of hidden users. | |||||
| CVE-2022-45416 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-01-04 | N/A | 6.5 MEDIUM |
| Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. | |||||