CVSS: 7.5EPSS: 1%CPEs: 60EXPL: 1CVE-2002-20001
https://notcve.org/view.php?id=CVE-2002-20001
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE. El Protocolo de Acuerdo de Claves Diffie-Hellman permite a atacantes remotos (del lado del cliente) enviar números arbitrarios que en realidad no son claves públicas, y desencadenar costosos cálculos de exponenciación modular DHE del lado del servidor, también se conoce como un ataque D(HE)ater. • https://cert-portal.siemens.com/productcert/pdf/ssa-506569.pdf https://dheatattack.com https://dheatattack.gitlab.io https://github.com/Balasys/dheater https://github.com/mozilla/ssl-config-generator/issues/162 https://gitlab.com/dheatattack/dheater https://ieeexplore.ieee.org/document/10374117 https://support.f5.com/csp/article/K83120834 https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-004.txt https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration https: • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-26578 – Hewlett Packard Enterprise Network Orchestrator uaf-token SQL Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-26578
A potential security vulnerability has been identified in HPE Network Orchestrator (NetO) version(s): Prior to 2.5. The vulnerability could be remotely exploited with SQL injection. Se ha identificado una vulnerabilidad de seguridad potencial en HPE Network Orchestrator (NetO) versiones: anteriores a 2.5. La vulnerabilidad podría ser explotada remotamente con una inyección SQL This vulnerability allows remote attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise Network Orchestrator. Authentication is not required to exploit this vulnerability. The specific flaw exists within the connections resource. • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04097en_us • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •