CVE-2022-36937

CRITICAL Year: 2022
CVSS v3 Score
9.8
Critical
Weakness Type
CWE-327
View all →

Vulnerability Description

HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3. Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.

Related Vulnerabilities

CVE-2007-6013

CRITICAL
CVSS:9.8(Critical)

Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authentication by obtaining the MD5 hash from the user database, then gene...

CWE-3272007

CVE-2012-4449

CRITICAL
CVSS:9.8(Critical)

Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-depend...

CWE-3272012

CVE-2014-8687

CRITICAL
CVSS:9.8(Critical)

Seagate Business NAS devices with firmware before 2015.00322 allow remote attackers to execute arbitrary code with root privileges by leveraging use of a static encryption key to create session tokens...

CWE-3272014

CVE-2014-9969

CRITICAL
CVSS:9.8(Critical)

In all Qualcomm products with Android releases from CAF using the Linux kernel, the GPS client may use an insecure cryptographic algorithm.

CWE-3272014

CVE-2016-6602

CRITICAL
CVSS:9.8(Critical)

ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/s...

CWE-3272016

CVE-2017-17717

CRITICAL
CVSS:9.8(Critical)

Sonatype Nexus Repository Manager through 2.14.5 has weak password encryption with a hardcoded CMMDwoV value in the LDAP integration feature.

CWE-3272017