CWE-325
Missing Cryptographic Step
Description
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-68
CVEs mapped to this weakness (34)
page 2 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-2598 | — | Med | 0.21 | 4.3 | 0.01 | May 23, 2018 | Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304). | |
| CVE-2017-2600 | — | Med | 0.21 | 4.3 | 0.01 | May 15, 2018 | In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343). | |
| CVE-2026-42770 | Low | 0.17 | 3.7 | 0.00 | Jun 9, 2026 | Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small… | ||
| CVE-2015-20112 | Low | 0.15 | 3.4 | 0.00 | Jun 29, 2025 | RLPx 5 has two CTR streams based on the same key, IV, and nonce. This can facilitate decryption on a private network. | ||
| CVE-2024-55655 | Low | 0.11 | — | 0.00 | Dec 10, 2024 | sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the… | ||
| CVE-2017-2603 | — | Low | 0.10 | 2.6 | 0.01 | May 15, 2018 | Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362). | |
| CVE-2026-22863 | 0.00 | — | 0.00 | Jan 15, 2026 | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to… | |||
| CVE-2023-46129 | 0.00 | — | 0.00 | Oct 30, 2023 | NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is… | |||
| CVE-2022-29229 | — | 0.00 | — | 0.00 | May 18, 2022 | CaSS is a Competency and Skills System. CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an account’s cryptographic keys. This affects CaSS servers using standalone… | ||
| CVE-2020-26244 | 0.00 | — | 0.01 | Dec 2, 2020 | Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but… | |||
| CVE-2020-15086 | — | 0.00 | — | 0.03 | Jul 29, 2020 | In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message… | ||
| CVE-2020-15098 | 0.00 | — | 0.02 | Jul 29, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a… | |||
| CVE-2013-5960 | 0.00 | — | 0.02 | Sep 30, 2013 | The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended… | |||
| CVE-2013-5679 | 0.00 | — | 0.02 | Sep 30, 2013 | The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended… |
- risk 0.21cvss 4.3epss 0.01
Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).
- risk 0.21cvss 4.3epss 0.01
In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).
- risk 0.17cvss 3.7epss 0.00
Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small…
- risk 0.15cvss 3.4epss 0.00
RLPx 5 has two CTR streams based on the same key, IV, and nonce. This can facilitate decryption on a private network.
- risk 0.11cvss —epss 0.00
sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the…
- risk 0.10cvss 2.6epss 0.01
Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362).
- CVE-2026-22863Jan 15, 2026risk 0.00cvss —epss 0.00
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to…
- CVE-2023-46129Oct 30, 2023risk 0.00cvss —epss 0.00
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is…
- CVE-2022-29229May 18, 2022risk 0.00cvss —epss 0.00
CaSS is a Competency and Skills System. CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an account’s cryptographic keys. This affects CaSS servers using standalone…
- CVE-2020-26244Dec 2, 2020risk 0.00cvss —epss 0.01
Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but…
- CVE-2020-15086Jul 29, 2020risk 0.00cvss —epss 0.03
In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message…
- CVE-2020-15098Jul 29, 2020risk 0.00cvss —epss 0.02
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a…
- CVE-2013-5960Sep 30, 2013risk 0.00cvss —epss 0.02
The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended…
- CVE-2013-5679Sep 30, 2013risk 0.00cvss —epss 0.02
The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended…