CWE-323
Reusing a Nonce, Key Pair in Encryption
Description
Nonces should be used for the present occasion and only once.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (24)
page 2 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-41951 | Med | 0.22 | 4.4 | 0.00 | Jul 31, 2024 | Pheonix App is a Python application designed to streamline various tasks, from managing files to playing mini-games. The issue is that the map of encoding/decoding languages are visible in code. The Problem was patched in 0.2.4. | ||
| CVE-2024-23688 | 0.00 | — | 0.00 | Jan 19, 2024 | Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed. | |||
| CVE-2023-4680 | 0.00 | — | 0.00 | Sep 14, 2023 | HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially… | |||
| CVE-2020-2099 | 0.00 | — | 0.01 | Jan 29, 2020 | Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to… |
- risk 0.22cvss 4.4epss 0.00
Pheonix App is a Python application designed to streamline various tasks, from managing files to playing mini-games. The issue is that the map of encoding/decoding languages are visible in code. The Problem was patched in 0.2.4.
- CVE-2024-23688Jan 19, 2024risk 0.00cvss —epss 0.00
Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed.
- CVE-2023-4680Sep 14, 2023risk 0.00cvss —epss 0.00
HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially…
- CVE-2020-2099Jan 29, 2020risk 0.00cvss —epss 0.01
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to…