CVE-2023-34363
Last modified
CVE-2023-34363 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. An issue was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. When using Oracle Advanced Security (OAS) encryption, if an error is encountered initializing the encryption object used to encrypt data, the code falls back to a different encryption mechanism that uses an insecure random number generator to generate the private key. EPSS estimates a 0.33% chance of exploitation in the next 30 days.
Description
An issue was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. When using Oracle Advanced Security (OAS) encryption, if an error is encountered initializing the encryption object used to encrypt data, the code falls back to a different encryption mechanism that uses an insecure random number generator to generate the private key. It is possible for a well-placed attacker to predict the output of this random number generator, which could lead to an attacker decrypting traffic between the driver and the database server. The vulnerability does not exist if SSL / TLS encryption is used.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Progress | Datadirect Odbc Oracle Wire Protocol Driver | < 08.02.2770 |
References
- https://progress.comProduct
- https://progress.comProduct
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-34363?
How severe is CVE-2023-34363?
How do I fix CVE-2023-34363?
Are you affected by CVE-2023-34363?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST