Total
125 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-42492 | 1 Busbaer | 1 Eisbaer Scada | 2024-09-10 | 7.1 High |
| EisBaer Scada - CWE-321: Use of Hard-coded Cryptographic Key | ||||
| CVE-2023-44318 | 1 Siemens | 142 6ag1206-2bb00-7ac2, 6ag1206-2bb00-7ac2 Firmware, 6ag1206-2bs00-7ac2 and 139 more | 2024-09-10 | 4.9 Medium |
| Affected devices use a hardcoded key to obfuscate the configuration backup that an administrator can export from the device. This could allow an authenticated attacker with administrative privileges or an attacker that obtains a configuration backup to extract configuration information from the exported file. | ||||
| CVE-2024-42418 | 2 Avtec, Avtecinc | 5 Outpost 0810, Outpost Uploader Utility, Outpost 0810 and 2 more | 2024-09-04 | 7.5 High |
| Avtec Outpost uses a default cryptographic key that can be used to decrypt sensitive information. | ||||
| CVE-2022-48625 | 2024-08-29 | 7.5 High | ||
| Yealink Config Encrypt Tool add RSA before 1.2 has a built-in RSA key pair, and thus there is a risk of decryption by an adversary. | ||||
| CVE-2024-35344 | 2024-08-28 | 9.9 Critical | ||
| Certain Anpviz products contain a hardcoded cryptographic key stored in the firmware of the device. This affects IPC-D250, IPC-D260, IPC-B850, IPC-D850, IPC-D350, IPC-D3150, IPC-D4250, IPC-D380, IPC-D880, IPC-D280, IPC-D3180, MC800N, YM500L, YM800N_N2, YMF50B, YM800SV2, YM500L8, and YM200E10 firmware v3.2.2.2 and lower and possibly more vendors/models of IP camera. | ||||
| CVE-2024-1258 | 1 Juanpao | 1 Jpshop | 2024-08-19 | 3.1 Low |
| A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability. | ||||
| CVE-2024-1631 | 2024-08-16 | 9.1 Critical | ||
| Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the secret key using secure randomness. However, a recent change broke this guarantee and uses an insecure seed for key pair generation. Since the private key of this identity (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller. | ||||
| CVE-2024-6890 | 1 Journyx | 1 Journyx | 2024-08-08 | 8.8 High |
| Password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password. | ||||
| CVE-2024-41260 | 1 Netbirdio | 1 Netbird | 2024-08-06 | 7.5 High |
| A static initialization vector (IV) in the encrypt function of netbird v0.28.4 allows attackers to obtain sensitive information. | ||||
| CVE-2014-3489 | 1 Redhat | 2 Cloudforms 3.0 Management Engine, Cloudforms Managementengine | 2024-08-06 | N/A |
| lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 uses a hard-coded salt, which makes it easier for remote attackers to guess passwords via a brute force attack. | ||||
| CVE-2017-14021 | 1 Korenix | 18 Jetnet5018g Firmware, Jetnet5310g Firmware, Jetnet5428g-2g-2fx Firmware and 15 more | 2024-08-05 | N/A |
| A Use of Hard-coded Cryptographic Key issue was discovered in Korenix JetNet JetNet5018G version 1.4, JetNet5310G version 1.4a, JetNet5428G-2G-2FX version 1.4, JetNet5628G-R version 1.4, JetNet5628G version 1.4, JetNet5728G-24P version 1.4, JetNet5828G version 1.1d, JetNet6710G-HVDC version 1.1e, and JetNet6710G version 1.1. An attacker may gain access to hard-coded certificates and private keys allowing the attacker to perform man-in-the-middle attacks. | ||||
| CVE-2017-9649 | 1 Mirion Technologies | 14 Dmc 3000, Dmc 3000 Firmware, Drm-1\/2 and 11 more | 2024-08-05 | N/A |
| A Use of Hard-Coded Cryptographic Key issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). An unchangeable, factory-set key is included in the 900 MHz transmitter firmware. | ||||
| CVE-2017-6054 | 1 Hyundaiusa | 1 Blue Link | 2024-08-05 | N/A |
| A Use of Hard-Coded Cryptographic Key issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. The application uses a hard-coded decryption password to protect sensitive user information. | ||||
| CVE-2017-5242 | 1 Rapid7 | 1 Insightvm | 2024-08-05 | 7.7 High |
| Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots. | ||||
| CVE-2018-10896 | 2 Canonical, Redhat | 3 Cloud-init, Enterprise Linux, Rhel Eus | 2024-08-05 | 7.1 High |
| The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks. | ||||
| CVE-2018-3825 | 1 Elastic | 1 Elastic Cloud Enterprise | 2024-08-05 | N/A |
| In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known. | ||||
| CVE-2019-19753 | 2024-08-05 | 9.1 Critical | ||
| SimpleMiningOS through v1259 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: the vendor indicated that they have no plans to fix this, and discourage deployment using public IPv4. | ||||
| CVE-2019-19750 | 1 Minerstat | 1 Msos | 2024-08-05 | 9.8 Critical |
| minerstat msOS before 2019-10-23 does not have a unique SSH key for each instance of the product. | ||||
| CVE-2019-13929 | 1 Siemens | 1 Simatic It Uadm | 2024-08-05 | 6.5 Medium |
| A vulnerability has been identified in SIMATIC IT UADM (All versions < V1.3). An authenticated remote attacker with network access to port 1434/tcp of SIMATIC IT UADM could potentially recover a password that can be used to gain read and write access to the related TeamCenter station. The security vulnerability could be exploited only if the attacker is authenticated. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises the confidentiality of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known. | ||||
| CVE-2019-10963 | 1 Moxa | 2 Edr-810, Edr-810 Firmware | 2024-08-04 | 4.3 Medium |
| Moxa EDR 810, all versions 5.1 and prior, allows an unauthenticated attacker to be able to retrieve some log files from the device, which may allow sensitive information disclosure. Log files must have previously been exported by a legitimate user. | ||||