CWE-325 57 個 CVE MITRE 定義 ↗

CWE-325:Missing Cryptographic Step

概覽

CWE-325(Missing Cryptographic Step)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology Not Technology-Specific Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-58638 2026-07-14 Missing cryptographic step in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.
CVE-2026-55144 2026-07-14 Missing cryptographic step in Windows CryptoAPI allows an authorized attacker to perform tampering locally.
CVE-2026-6458 2026-06-23 Missing cryptographic step in Caliptra Core Firmware (aes_256_gcm_update module) results in an incorrect GCM authentication tag. When the streaming AES-256-GCM API is used with empty AAD, the hardware…
CVE-2026-49440 2026-06-23 Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, node:crypto.checkPrime(candidate[, options][, callback]) and crypto.checkPrimeSync(candidate[, options]) ran no Miller-Rabin …
CVE-2026-9266 2026-06-12 A Missing Required Cryptographic Step vulnerability has been identified in Moxa's embedded Linux firmware for industrial computers and controllers. This vulnerability represents an incomplete remediat…
CVE-2026-45446 2026-06-09 Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of s…
CVE-2026-45445 2026-06-09 Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summ…
CVE-2026-42770 2026-06-09 Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents…
CVE-2026-0420 2026-06-09 An improper implementation of TLS certificate validation vulnerability found in NETGEAR's ReadyCloud client app which could allow an attacker to perform attacker-in-the-middle (MiTM) style attacks imp…
CVE-2026-48480 2026-06-04 The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.22.FInal, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptograph…
CVE-2026-42246 2026-05-09 Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttl…
CVE-2026-41395 2026-04-28 OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attacker…
CVE-2026-40542 2026-04-22 Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users …
CVE-2026-29142 2026-04-02 SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to forge a GINA-encrypted email.
CVE-2026-4601 2026-03-23 Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can reco…
CVE-2026-4258 2026-03-17 All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recover a…
CVE-2026-28498 2026-03-16 Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation …
CVE-2025-47383 2026-03-02 Weak configuration may lead to cryptographic issue when a VoWiFi call is triggered from UE.
CVE-2025-69418 2026-01-27 Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block…
CVE-2026-22863 2026-01-15 Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive …

曾用名

  • Missing Required Cryptographic Step (2020-08-20)

內容提交

名稱
PLOVER
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Description, Functional_Areas, Modes_of_Introduction, Relationships, Observed_Example, Relationship_Notes, Taxonomy_Mappings
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Common_Consequences, Relationships
2014-06-23 CWE Content Team 2.7 updated Relationships
2014-07-30 CWE Content Team 2.8 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Modes_of_Introduction, Relationships
2018-03-27 CWE Content Team 3.1 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Applicable_Platforms, Description, Relationships
2020-08-20 CWE Content Team 4.2 updated Common_Consequences, Description, Modes_of_Introduction, Name
2021-10-28 CWE Content Team 4.6 updated Relationships
2023-04-27 CWE Content Team 4.11 updated Relationships, Time_of_Introduction
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2023-10-26 CWE Content Team 4.13 updated Demonstrative_Examples, References
2025-12-11 CWE Content Team 4.19 updated Detection_Factors, Relationships, Weakness_Ordinalities

貢獻

類型 名稱 日期 評論
Content Chen Chen, Rahul Kande, Jeyavijayan Rajendran 2023-06-21 suggested demonstrative example
Content Shaza Zeitouni, Mohamadreza Rostami, Ahmad-Reza Sadeghi 2023-06-21 suggested demonstrative example
cvelogic Threat Intelligence