Inadequate encryption strength in .NET, .NET Framework, Visual Studio allows an authorized attacker to disclose information over a network.
Weakness
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| .net_framework | Microsoft | 4.6.2 (including) | 4.6.2 (including) |
| .net_framework | Microsoft | 4.7 (including) | 4.7 (including) |
| .net_framework | Microsoft | 4.7.1 (including) | 4.7.1 (including) |
| .net_framework | Microsoft | 4.7.2 (including) | 4.7.2 (including) |
| Red Hat Enterprise Linux 10 | RedHat | dotnet8.0-0:8.0.121-1.el10_0 | * |
| Red Hat Enterprise Linux 10 | RedHat | dotnet9.0-0:9.0.111-1.el10_0 | * |
| Red Hat Enterprise Linux 8 | RedHat | dotnet8.0-0:8.0.121-1.el8_10 | * |
| Red Hat Enterprise Linux 8 | RedHat | dotnet9.0-0:9.0.111-1.el8_10 | * |
| Red Hat Enterprise Linux 9 | RedHat | dotnet8.0-0:8.0.121-1.el9_6 | * |
| Red Hat Enterprise Linux 9 | RedHat | dotnet9.0-0:9.0.111-1.el9_6 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | dotnet8.0-0:8.0.121-1.el9_4 | * |
| Red Hat OpenShift Dev Spaces (RHOSDS) 3.25 | RedHat | devspaces/udi-rhel9:sha256:ef84715a61474b7a45b0b24c0d30370f51ab93ff86b70d5d345545253e01c3ae | * |
| Dotnet10 | Ubuntu | plucky | * |
| Dotnet7 | Ubuntu | jammy | * |
| Dotnet8 | Ubuntu | jammy | * |
| Dotnet8 | Ubuntu | noble | * |
| Dotnet8 | Ubuntu | plucky | * |
| Dotnet8 | Ubuntu | questing | * |
| Dotnet9 | Ubuntu | plucky | * |
| Dotnet9 | Ubuntu | questing | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/112.html
- https://cwe.mitre.org/data/definitions/192.html
- https://cwe.mitre.org/data/definitions/20.html