Total
335 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-37968 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2022-07-12 | 4.3 MEDIUM | 4.3 MEDIUM |
Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
CVE-2021-37848 | 1 Pengutronix | 1 Barebox | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
common/password.c in Pengutronix barebox through 2021.07.0 leaks timing information because strncmp is used during hash comparison. | |||||
CVE-2021-44848 | 1 Cybelesoft | 1 Thinfinity Virtualui | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username exists. | |||||
CVE-2021-20049 | 1 Sonicwall | 12 Sma100, Sma200, Sma210 and 9 more | 2022-07-08 | 5.0 MEDIUM | 7.5 HIGH |
A vulnerability in SonicWall SMA100 password change API allows a remote unauthenticated attacker to perform SMA100 username enumeration based on the server responses. This vulnerability impacts 10.2.1.2-24sv, 10.2.0.8-37sv and earlier 10.x versions. | |||||
CVE-2021-41634 | 1 Melag | 1 Ftp Server | 2022-07-01 | 5.0 MEDIUM | 5.3 MEDIUM |
A user enumeration vulnerability in MELAG FTP Server 2.2.0.4 allows an attacker to identify valid FTP usernames. | |||||
CVE-2022-23823 | 1 Amd | 284 A10-9600p, A10-9600p Firmware, A10-9630p and 281 more | 2022-06-29 | 4.0 MEDIUM | 6.5 MEDIUM |
A potential vulnerability in some AMD processors using frequency scaling may allow an authenticated attacker to execute a timing attack to potentially enable information disclosure. | |||||
CVE-2022-34174 | 1 Jenkins | 1 Jenkins | 2022-06-29 | 5.0 MEDIUM | 7.5 HIGH |
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. | |||||
CVE-2022-24436 | 1 Intel | 1 * | 2022-06-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access. | |||||
CVE-2022-0823 | 1 Zyxel | 8 Gs1200-5, Gs1200-5 Firmware, Gs1200-5hp and 5 more | 2022-06-15 | 2.1 LOW | 6.2 MEDIUM |
An improper control of interaction frequency vulnerability in Zyxel GS1200 series switches could allow a local attacker to guess the password by using a timing side-channel attack. | |||||
CVE-2022-32273 | 1 Opswat | 1 Metadefender | 2022-06-15 | 4.0 MEDIUM | 4.3 MEDIUM |
As a result of an observable discrepancy in returned messages, OPSWAT MetaDefender Core (MDCore) before 5.1.2 could allow an authenticated user to enumerate filenames on the server. | |||||
CVE-2022-29185 | 1 Totp-rs Project | 1 Totp-rs | 2022-06-07 | 3.5 LOW | 4.4 MEDIUM |
totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password (TOTP). Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The attacker would have to know the password beforehand nonetheless. Starting with patched version 1.1.0, the library uses constant-time comparison. There are currently no known workarounds. | |||||
CVE-2019-3740 | 2 Dell, Oracle | 18 Bsafe Cert-j, Bsafe Crypto-j, Bsafe Ssl-j and 15 more | 2022-06-07 | 4.3 MEDIUM | 6.5 MEDIUM |
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys. | |||||
CVE-2022-24043 | 1 Siemens | 8 Desigo Dxr2, Desigo Dxr2 Firmware, Desigo Pxc3 and 5 more | 2022-06-01 | 5.0 MEDIUM | 5.3 MEDIUM |
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The login functionality of the application fails to normalize the response times of login attempts performed with wrong usernames with the ones executed with correct usernames. A remote unauthenticated attacker could exploit this side-channel information to perform a username enumeration attack and identify valid usernames. | |||||
CVE-2020-3585 | 1 Cisco | 7 Adaptive Security Appliance Software, Firepower 1000, Firepower 1010 and 4 more | 2022-05-26 | 4.3 MEDIUM | 3.7 LOW |
A vulnerability in the TLS handler of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 1000 Series firewalls could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper implementation of countermeasures against the Bleichenbacher attack for cipher suites that rely on RSA for key exchange. An attacker could exploit this vulnerability by sending crafted TLS messages to the device, which would act as an oracle and allow the attacker to carry out a chosen-ciphertext attack. A successful exploit could allow the attacker to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions to the affected device. To exploit this vulnerability, an attacker must be able to perform both of the following actions: Capture TLS traffic that is in transit between clients and the affected device Actively establish a considerable number of TLS connections to the affected device | |||||
CVE-2021-0089 | 3 Debian, Fedoraproject, Intel | 12 Debian Linux, Fedora, Celeron Processors and 9 more | 2022-05-24 | 2.1 LOW | 6.5 MEDIUM |
Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. | |||||
CVE-2021-33845 | 1 Splunk | 1 Splunk | 2022-05-17 | 5.0 MEDIUM | 5.3 MEDIUM |
The Splunk Enterprise REST API allows enumeration of usernames via the lockout error message. The potential vulnerability impacts Splunk Enterprise instances before 8.1.7 when configured to repress verbose login errors. | |||||
CVE-2021-24117 | 1 Apache | 1 Teaclave Sgx Sdk | 2022-05-13 | 4.0 MEDIUM | 4.9 MEDIUM |
In Apache Teaclave Rust SGX SDK 1.1.3, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX. | |||||
CVE-2021-33880 | 2 Oracle, Websockets Project | 5 Communications Cloud Native Core Policy, Communications Cloud Native Core Security Edge Protection Proxy, Communications Cloud Native Core Service Communication Proxy and 2 more | 2022-05-12 | 2.6 LOW | 5.9 MEDIUM |
The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack. | |||||
CVE-2021-20376 | 1 Ibm | 1 Sterling B2b Integrator | 2022-05-03 | 4.0 MEDIUM | 4.3 MEDIUM |
IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow an authenticated attacker to enumerate usernames due to there being an observable discrepancy in returned messages. IBM X-Force ID: 195568. | |||||
CVE-2020-27211 | 1 Nordicsemi | 2 Nrf52840, Nrf52840 Firmware | 2022-05-03 | 3.3 LOW | 5.7 MEDIUM |
Nordic Semiconductor nRF52840 devices through 2020-10-19 have improper protection against physical side channels. The flash read-out protection (APPROTECT) can be bypassed by injecting a fault during the boot phase. |