Weaknesses in this category are related to errors in the management of cryptographic keys. 699 Category ChildOf 310 This category should probably be split into multiple sub-categories. CVE-2005-2146 insecure permissions when generating secret key, allowing spoofing CVE-2001-1527 administration passwords in cleartext in executable CVE-2000-0762 default installation of product uses a default encryption key, allowing others to spoof the administrator CVE-2002-1947 static key / global shared key -- "global shared key" - product uses same SSL key for all installations, allowing attackers to eavesdrop or hijack session. CVE-2005-4002 static key / global shared key -- "global shared key" - product uses same secret key for all installations, allowing attackers to decrypt data. CVE-2005-2196 static key / global shared key -- Product uses default WEP key when not connected to a known or trusted network, which can cause it to automatically connect to a malicious network. Overlaps: default. CVE-2005-1794 Exposed or accessible private key (overlaps information exposure) -- Private key stored in executable CVE-2001-0072 Exposed or accessible private key (overlaps information exposure) -- Crypto program imports both public and private keys but does not tell the user about the private keys, possibly breaking the web of trust. CVE-2005-3256 Misc -- Encryption product accidentally selects the wrong key if the key doesn't have additional fields that are normally expected, allowing the owner of the wrong key to decrypt the data. Key Management Errors PLOVER CWE Content Team MITRE 2008-09-08 updated Maintenance_Notes, Relationships, Taxonomy_Mappings CWE Content Team MITRE 2011-03-29 updated Observed_Examples