Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

631 vulnerabilities reference this CWE, most recent first.

GHSA-2P84-F2F6-W7C4

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-07-13 00:01
VLAI
Details

In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37546"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-06T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used.",
  "id": "GHSA-2p84-f2f6-w7c4",
  "modified": "2022-07-13T00:01:34Z",
  "published": "2022-05-24T19:10:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37546"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2P8X-JCRP-PQ93

Vulnerability from github – Published: 2022-05-17 03:44 – Updated: 2022-05-17 03:44
VLAI
Details

Huawei AR routers with software before V200R007C00SPC100; Quidway S9300 routers with software before V200R009C00; S12700 routers with software before V200R008C00SPC500; S9300, Quidway S5300, and S5300 routers with software before V200R007C00; and S5700 routers with software before V200R007C00SPC500 makes it easier for remote authenticated administrators to obtain encryption keys and ciphertext passwords via vectors related to key storage.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-8086"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-10-03T21:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Huawei AR routers with software before V200R007C00SPC100; Quidway S9300 routers with software before V200R009C00; S12700 routers with software before V200R008C00SPC500; S9300, Quidway S5300, and S5300 routers with software before V200R007C00; and S5700 routers with software before V200R007C00SPC500 makes it easier for remote authenticated administrators to obtain encryption keys and ciphertext passwords via vectors related to key storage.",
  "id": "GHSA-2p8x-jcrp-pq93",
  "modified": "2022-05-17T03:44:03Z",
  "published": "2022-05-17T03:44:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8086"
    },
    {
      "type": "WEB",
      "url": "http://www.huawei.com/en/psirt/security-advisories/hw-455876"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/76897"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2RCC-9G8P-Q2VR

Vulnerability from github – Published: 2025-06-04 15:30 – Updated: 2025-06-04 15:30
VLAI
Details

Weak server key used for TLS encryption. The following products are affected: Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39938.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48960"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-04T14:15:29Z",
    "severity": "MODERATE"
  },
  "details": "Weak server key used for TLS encryption. The following products are affected: Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39938.",
  "id": "GHSA-2rcc-9g8p-q2vr",
  "modified": "2025-06-04T15:30:40Z",
  "published": "2025-06-04T15:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48960"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-6403"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2RHR-9V3P-VV9J

Vulnerability from github – Published: 2024-03-06 12:30 – Updated: 2024-03-06 12:30
VLAI
Details

This vulnerability exists in AppSamvid software due to the usage of a weaker cryptographic algorithm (hash) SHA1 in user login component. An attacker with local administrative privileges could exploit this to obtain the password of AppSamvid on the targeted system.

Successful exploitation of this vulnerability could allow the attacker to take complete control of the application on the targeted system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-06T12:15:45Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability exists in AppSamvid software due to the usage of a weaker cryptographic algorithm (hash) SHA1 in user login component. An attacker with local administrative privileges could exploit this to obtain the password of AppSamvid on the targeted system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to take complete control of the application on the targeted system.\n",
  "id": "GHSA-2rhr-9v3p-vv9j",
  "modified": "2024-03-06T12:30:28Z",
  "published": "2024-03-06T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25102"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0081"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2VCR-G749-75QC

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43
VLAI
Details

On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-18630"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-04T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.",
  "id": "GHSA-2vcr-g749-75qc",
  "modified": "2022-05-24T17:43:43Z",
  "published": "2022-05-24T17:43:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18630"
    },
    {
      "type": "WEB",
      "url": "https://securitydocs.business.xerox.com/wp-content/uploads/2021/03/cert_Security_Mini_Bulletin_XRX20I_for_ALB80xx-C80xx_v1.2.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2W26-5WWQ-P3H6

Vulnerability from github – Published: 2022-05-17 02:47 – Updated: 2025-04-20 03:36
VLAI
Details

On the TP-Link TL-SG108E 1.0, admin network communications are RC4 encoded, even though RC4 is deprecated. This affects the 1.1.2 Build 20141017 Rel.50749 firmware.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-23T16:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "On the TP-Link TL-SG108E 1.0, admin network communications are RC4 encoded, even though RC4 is deprecated. This affects the 1.1.2 Build 20141017 Rel.50749 firmware.",
  "id": "GHSA-2w26-5wwq-p3h6",
  "modified": "2025-04-20T03:36:33Z",
  "published": "2022-05-17T02:47:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8076"
    },
    {
      "type": "WEB",
      "url": "https://chmod750.com/2017/04/23/vulnerability-disclosure-tp-link"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2WRH-3GMH-MGCW

Vulnerability from github – Published: 2024-04-19 18:31 – Updated: 2024-04-19 18:31
VLAI
Details

IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to weaker than expected security. IBM X-Force ID: 236452.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-19T17:15:51Z",
    "severity": "MODERATE"
  },
  "details": "IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to weaker than expected security.  IBM X-Force ID:  236452.",
  "id": "GHSA-2wrh-3gmh-mgcw",
  "modified": "2024-04-19T18:31:13Z",
  "published": "2024-04-19T18:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40745"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/236452"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7148632"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2X45-7FC3-MXWQ

Vulnerability from github – Published: 2025-07-31 21:31 – Updated: 2026-02-27 18:57
VLAI
Summary
php-jwt contains weak encryption
Details

php-jwt v6.11.0 was discovered to contain weak encryption.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "firebase/php-jwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-45769"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T00:55:29Z",
    "nvd_published_at": "2025-07-31T20:15:33Z",
    "severity": "LOW"
  },
  "details": "php-jwt v6.11.0 was discovered to contain weak encryption.",
  "id": "GHSA-2x45-7fc3-mxwq",
  "modified": "2026-02-27T18:57:12Z",
  "published": "2025-07-31T21:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45769"
    },
    {
      "type": "WEB",
      "url": "https://github.com/firebase/php-jwt/issues/611"
    },
    {
      "type": "WEB",
      "url": "https://github.com/firebase/php-jwt/issues/618"
    },
    {
      "type": "WEB",
      "url": "https://github.com/firebase/php-jwt/issues/620"
    },
    {
      "type": "WEB",
      "url": "https://github.com/firebase/php-jwt/pull/613"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-database/pull/6954"
    },
    {
      "type": "WEB",
      "url": "https://github.com/firebase/php-jwt/commit/6b80341bf57838ea2d011487917337901cd71576"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/ZupeiNie/83756316c4c24fe97a50176a92608db3"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-2x45-7fc3-mxwq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/firebase"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/firebase/php-jwt"
    },
    {
      "type": "WEB",
      "url": "https://github.com/firebase/php-jwt/releases/tag/v7.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "php-jwt contains weak encryption"
}

GHSA-2XRJ-WRQ4-FF74

Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10
VLAI
Details

A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The streaming service (default port 5410/tcp) of the SiNVR 3 Video Server applies weak cryptography when exposing device (camera) passwords. This could allow an unauthenticated remote attacker to read and decrypt the passwords and conduct further attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19299"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-327"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-10T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The streaming service (default port 5410/tcp) of the SiNVR 3 Video Server applies weak cryptography when exposing device (camera) passwords. This could allow an unauthenticated remote attacker to read and decrypt the passwords and conduct further attacks.",
  "id": "GHSA-2xrj-wrq4-ff74",
  "modified": "2022-05-24T17:10:37Z",
  "published": "2022-05-24T17:10:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19299"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-844761.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2XWP-M7MQ-7Q3R

Vulnerability from github – Published: 2020-10-28 17:05 – Updated: 2020-10-28 17:04
VLAI
Summary
CLI does not correctly implement strict mode
Details

In the affected versions, the AWS Encryption CLI operated in "discovery mode" even when "strict mode" was specified. Although decryption only succeeded if the user had permission to decrypt with at least one of the CMKs, decryption could be successful using a CMK that was not included in the user-defined set when the CLI was operating in "strict mode."

Affected users should upgrade to Encryption CLI v1.8.x or v2.1.x as soon as possible.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "aws-encryption-sdk-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "aws-encryption-sdk-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-10-28T17:04:54Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "In the affected versions, the AWS Encryption CLI operated in \"discovery mode\" even when \"strict mode\" was specified. Although decryption only succeeded if the user had permission to decrypt with at least one of the CMKs, decryption could be successful using a CMK that was not included in the user-defined set when the CLI was operating in \"strict mode.\"\n\nAffected users should upgrade to Encryption CLI v1.8.x or v2.1.x as soon as possible.",
  "id": "GHSA-2xwp-m7mq-7q3r",
  "modified": "2020-10-28T17:04:54Z",
  "published": "2020-10-28T17:05:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-encryption-sdk-cli/security/advisories/GHSA-2xwp-m7mq-7q3r"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-encryption-sdk-cli/commit/7d21b8051cab9e52e056fe427d2bff19cf146460"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "CLI does not correctly implement strict mode"
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.