CVE: CVE-2016-6485

Export to Word

The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by guessing the value.

Threat-Mapped Scoring

Score: 0.0

Priority: Unclassified

EPSS

Score: 0.00047
Percentile: 0.14423

CVSS Scoring

CVSS v3.0 Score: 7.5

Severity: HIGH

Mapped CWE(s)

CWE-327 : Use of a Broken or Risky Cryptographic Algorithm

All CAPEC(s)

CAPEC-20: Encryption Brute Forcing
CAPEC-459: Creating a Rogue Certification Authority Certificate
CAPEC-473: Signature Spoof
CAPEC-475: Signature Spoofing by Improper Validation
CAPEC-608: Cryptanalysis of Cellular Encryption
CAPEC-614: Rooting SIM Cards
CAPEC-97: Cryptanalysis

CAPEC(s) with Mapped TTPs

CAPEC-473: Signature Spoof
Mapped TTPs:
- T1036.001 : Invalid Code Signature
- T1553.002 : Code Signing

Mapped ATT&CK TTPs

T1036.001 : Invalid Code Signature
Kill Chain: defense-evasion
T1553.002 : Code Signing
Kill Chain: defense-evasion

Malware

APTs Threat Group Associations

Campaigns

APT41 DUST
SolarWinds Compromise
Operation Honeybee
RedDelta Modified PlugX Infection Chain Operations
Operation Dream Job
C0015

Affected Products

cpe:2.3:a:magento:magento2:-:*:*:*:*:*:*:*

← Back to Home