CVEbaza.plSłownik CWECWE-1204
Common Weakness Enumeration

CWE-1204

Generation of Weak Initialization Vector (IV)

Kategoria: BaseCVE: 5
Opis

Produkt wykorzystuje prymityw kryptograficzny wymagający wektora inicjalizacyjnego (IV), jednak nie generuje wektorów, które są wystarczająco nieprzewidywalne lub unikalne zgodnie z wymogami kryptograficznymi danego prymitywu. Prowadzi to do osłabienia bezpieczeństwa szyfrowania i możliwości jego złamania.

Description (EN)

The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.

Podatności CVE z CWE-1204 (5)
8.7
CVSS
HIGH
CVE-2026-25998

strongMan is a management interface for strongSwan, an OpenSource IPsec-based VPN. When storing credentials in the database (private keys, EAP secrets), strongMan encrypts the corresponding database fields. So far it used AES in CTR mode with a global database key. Together with an initialization vector (IV), a key stream is generated to encrypt the data in the database fields. But because strongMan did not generate individual IVs, every database field was encrypted using the same key stream. An attacker that has access to the database can use this to recover the encrypted credentials. In particular, because certificates, which have to be considered public information, are also encrypted using the same mechanism, an attacker can directly recover a large chunk of the key stream, which allows them to decrypt basically all other secrets especially ECDSA private keys and EAP secrets, which are usually a lot shorter. Version 0.2.0 fixes the issue by switching to AES-GCM-SIV encryption with a random nonce and an individually derived encryption key, using HKDF, for each encrypted value. Database migrations are provided to automatically re-encrypt all credentials.

pub. 2026-02-19
7.5
CVSS
HIGH
CVE-2026-5087

PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely. PAGI::Middleware::Session::Store::Cookie attempts to read bytes from the /dev/urandom device directly. If that fails (for example, on systems without the device, such as Windows), then it will emit a warning that recommends the user install Crypt::URandom, and then return a string of random bytes generated by the built-in rand function, which is unsuitable for cryptographic applications. This modules does not use the Crypt::URandom module, and installing it will not fix the problem. The random bytes are used for generating an initialisation vector (IV) to encrypt the cookie. A predictable IV may make it easier for malicious users to decrypt and tamper with the session data that is stored in the cookie.

pub. 2026-03-31
7.5
CVSS
HIGH
CVE-2022-26083

Generation of weak initialization vector in an Intel(R) IPP Cryptography software library before version 2021.5 may allow an unauthenticated user to potentially enable information disclosure via local access.

pub. 2025-02-14
6.5
CVSS
MEDIUM
CVE-2025-0714

The vulnerability exists in the password storage of Mobateks MobaXterm in versions below 25.0. MobaXTerm uses an initialisation vector (IV) consisting only of zero bytes and a master key to encrypt each password individually. In the default configuration, on opening MobaXTerm, the user is prompted for their password. A derivative of the password is used as the master key. As both the master key and the IV are the same for each stored password, the AES CFB ciphertext depends only on the plaintext (the password). The static IV and master key make it easier to obtain sensitive information and to decrypt data when it is stored at rest.

pub. 2025-02-17
3.1
CVSS
LOW
CVE-2023-2747

The initialization vector (IV) used by the secure engine (SE) for encrypting data stored in the SE flash memory is uninitialized.

pub. 2023-06-15
Informacje
ID: CWE-1204
Typ: Base
Podatności: 5
MITRE CWE ↗
← Słownik CWE
CWE-1204 — Generowanie słabego wektora inicjalizacyjnego (IV) | Słownik CWE | CVEbaza.pl