Skip to main content

CWE-329

Generation of Predictable IV with CBC Mode

6 CVEs Avg CVSS 5.2 MITRE
0
CRITICAL
0
HIGH
6
MEDIUM
0
LOW
0
POC
0
KEV

Monthly

CVE-2026-14969 MEDIUM This Month

Attribute encryption in the 389-ds-base LDBM backend exposes a cryptographic design flaw affecting Red Hat Directory Server 11, 12, and 13 across all supported RHEL releases (6 through 10). The LDBM backend applies a static, hardcoded initialization vector (IV) for both AES-CBC and 3DES-CBC encryption of directory attribute values, meaning that two entries storing identical plaintext for an encrypted attribute will always produce identical ciphertext blocks - a classic ciphertext equality oracle. An attacker with privileged filesystem-level read access to the LDBM database files can exploit this to determine whether any two encrypted attribute values are identical, leaking relational information about the directory without recovering plaintext. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Red Hat Directory Server 11 Red Hat Directory Server 12 Red Hat Directory Server 13 Red Hat Enterprise Linux 10 +6
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2024-56141 MEDIUM This Month

Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.

Java Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.1%
CVE-2024-49783 MEDIUM PATCH This Month

CVE-2024-49783 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure IBM Openpages With Watson
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-2814 MEDIUM PATCH This Month

Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Red Hat Suse
NVD GitHub
CVSS 3.1
4.0
EPSS
0.1%
CVE-2021-27499 MEDIUM This Month

Ypsomed mylife Cloud, mylife Mobile Application, Ypsomed mylife Cloud: All versions prior to 1.7.2, Ypsomed mylife App: All versions prior to 1.7.5,The application layer encryption of the. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mylife Mylife Cloud
NVD
CVSS 3.1
5.9
EPSS
0.5%
CVE-2020-5408 Maven MEDIUM PATCH This Month

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Information Disclosure Spring Security
NVD
CVSS 3.1
6.5
EPSS
1.6%
EPSS 0% CVSS 4.4
MEDIUM This Month

Attribute encryption in the 389-ds-base LDBM backend exposes a cryptographic design flaw affecting Red Hat Directory Server 11, 12, and 13 across all supported RHEL releases (6 through 10). The LDBM backend applies a static, hardcoded initialization vector (IV) for both AES-CBC and 3DES-CBC encryption of directory attribute values, meaning that two entries storing identical plaintext for an encrypted attribute will always produce identical ciphertext blocks - a classic ciphertext equality oracle. An attacker with privileged filesystem-level read access to the LDBM database files can exploit this to determine whether any two encrypted attribute values are identical, leaking relational information about the directory without recovering plaintext. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Red Hat Directory Server 11 Red Hat Directory Server 12 +8
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.

Java Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

CVE-2024-49783 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure IBM Openpages With Watson
NVD
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Red Hat Suse
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

Ypsomed mylife Cloud, mylife Mobile Application, Ypsomed mylife Cloud: All versions prior to 1.7.2, Ypsomed mylife App: All versions prior to 1.7.5,The application layer encryption of the. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mylife Mylife Cloud
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Information Disclosure Spring Security
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy