CWE-757
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Monthly
OpenSSL and Microsoft products using the 'DEFAULT' keyword in TLS 1.3 key exchange group configurations may negotiate weaker cryptographic groups than intended, allowing network-based attackers to potentially downgrade the security of encrypted connections without authentication or user interaction. This affects servers that combine default group lists with custom configurations, particularly impacting hybrid post-quantum key exchange implementations where clients defer group selection. A patch is available to remediate this high-severity confidentiality risk.
psPAS PowerShell module does not explicitly enforce TLS 1.2 within the 'Get-PASSAMLResponse' function during the SAML authentication process. Rated low severity (CVSS 2.3), this vulnerability is no authentication required, low attack complexity.
Dell NetWorker, versions 19.12.0.1 and prior, contains a Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.
SIMPLE.ERP client is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
OpenSSL and Microsoft products using the 'DEFAULT' keyword in TLS 1.3 key exchange group configurations may negotiate weaker cryptographic groups than intended, allowing network-based attackers to potentially downgrade the security of encrypted connections without authentication or user interaction. This affects servers that combine default group lists with custom configurations, particularly impacting hybrid post-quantum key exchange implementations where clients defer group selection. A patch is available to remediate this high-severity confidentiality risk.
psPAS PowerShell module does not explicitly enforce TLS 1.2 within the 'Get-PASSAMLResponse' function during the SAML authentication process. Rated low severity (CVSS 2.3), this vulnerability is no authentication required, low attack complexity.
Dell NetWorker, versions 19.12.0.1 and prior, contains a Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.
SIMPLE.ERP client is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.