VYPR

CWE-325

Missing Cryptographic Step

BaseDraft

Description

The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-68

CVEs mapped to this weakness (34)

page 2 of 2
  • CVE-2017-2598MedMay 23, 2018
    risk 0.21cvss 4.3epss 0.01

    Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).

  • CVE-2017-2600MedMay 15, 2018
    risk 0.21cvss 4.3epss 0.01

    In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).

  • CVE-2026-42770LowJun 9, 2026
    risk 0.17cvss 3.7epss 0.00

    Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small…

  • CVE-2015-20112LowJun 29, 2025
    risk 0.15cvss 3.4epss 0.00

    RLPx 5 has two CTR streams based on the same key, IV, and nonce. This can facilitate decryption on a private network.

  • CVE-2024-55655LowDec 10, 2024
    risk 0.11cvss epss 0.00

    sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the…

  • CVE-2017-2603LowMay 15, 2018
    risk 0.10cvss 2.6epss 0.01

    Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362).

  • CVE-2026-22863Jan 15, 2026
    risk 0.00cvss epss 0.00

    Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to…

  • CVE-2023-46129Oct 30, 2023
    risk 0.00cvss epss 0.00

    NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is…

  • CVE-2022-29229May 18, 2022
    risk 0.00cvss epss 0.00

    CaSS is a Competency and Skills System. CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an account’s cryptographic keys. This affects CaSS servers using standalone…

  • CVE-2020-26244Dec 2, 2020
    risk 0.00cvss epss 0.01

    Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but…

  • CVE-2020-15086Jul 29, 2020
    risk 0.00cvss epss 0.03

    In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message…

  • CVE-2020-15098Jul 29, 2020
    risk 0.00cvss epss 0.02

    In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a…

  • CVE-2013-5960Sep 30, 2013
    risk 0.00cvss epss 0.02

    The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended…

  • CVE-2013-5679Sep 30, 2013
    risk 0.00cvss epss 0.02

    The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended…