Skip to content

GitLab

Open
Created by Administrator@rootMaintainer

Findings for Container Security, Medium, [TheRedHatter/javagoof:Dockerfile]:Use of a Broken or Risky Cryptographic Algorithm

Created by: armorcodegithubpreprod[bot]

Findings for Container Security, Medium, [TheRedHatter/javagoof:Dockerfile]:Use of a Broken or Risky Cryptographic Algorithm

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><1.7.6-2+deb9u4
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream libgcrypt20 package. See How to fix? for Debian:9 relevant versions.

The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><3.5.8-5+deb9u4
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream gnutls28 package. See How to fix? for Debian:9 relevant versions.

A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><1.1.0j-1~deb9u1
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See How to fix? for Debian:9 relevant versions.

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><1.1.0j-1~deb9u1
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See How to fix? for Debian:9 relevant versions.

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><2:3.26.2-1.1+deb9u2
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See How to fix? for Debian:9 relevant versions.

During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><3.5.8-5+deb9u4
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream gnutls28 package. See How to fix? for Debian:9 relevant versions.

It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><1.1.0j-1~deb9u1
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See How to fix? for Debian:9 relevant versions.

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><2:3.26.2-1.1+deb9u2
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See How to fix? for Debian:9 relevant versions.

During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. Note: An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><3.5.8-5+deb9u4
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream gnutls28 package. See How to fix? for Debian:9 relevant versions.

It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><1.0.2q-1~deb9u1
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl1.0 package. See How to fix? for Debian:9 relevant versions.

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><1.0.2q-1~deb9u1
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl1.0 package. See How to fix? for Debian:9 relevant versions.

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active