CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
631 vulnerabilities reference this CWE, most recent first.
GHSA-4HV2-R2P9-22RQ
Vulnerability from github – Published: 2022-02-25 00:01 – Updated: 2022-03-08 00:00Inadequate encryption may allow the passwords for Emerson OpenEnterprise versions through 3.3.4 user accounts to be obtained.
{
"affected": [],
"aliases": [
"CVE-2020-10636"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-24T19:15:00Z",
"severity": "HIGH"
},
"details": "Inadequate encryption may allow the passwords for Emerson OpenEnterprise versions through 3.3.4 user accounts to be obtained.",
"id": "GHSA-4hv2-r2p9-22rq",
"modified": "2022-03-08T00:00:41Z",
"published": "2022-02-25T00:01:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10636"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4MJP-P7H5-XHFJ
Vulnerability from github – Published: 2024-08-02 00:31 – Updated: 2024-08-09 21:31Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange
{
"affected": [],
"aliases": [
"CVE-2024-32758"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-01T22:15:24Z",
"severity": "CRITICAL"
},
"details": "Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange",
"id": "GHSA-4mjp-p7h5-xhfj",
"modified": "2024-08-09T21:31:35Z",
"published": "2024-08-02T00:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32758"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-01"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4Q2F-2VFX-8GG8
Vulnerability from github – Published: 2022-08-30 00:00 – Updated: 2022-09-02 00:01Hytec Inter HWL-2511-SS v1.05 and below implements a SHA512crypt hash for the root account which can be easily cracked via a brute-force attack.
{
"affected": [],
"aliases": [
"CVE-2022-36555"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-29T23:15:00Z",
"severity": "CRITICAL"
},
"details": "Hytec Inter HWL-2511-SS v1.05 and below implements a SHA512crypt hash for the root account which can be easily cracked via a brute-force attack.",
"id": "GHSA-4q2f-2vfx-8gg8",
"modified": "2022-09-02T00:01:02Z",
"published": "2022-08-30T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36555"
},
{
"type": "WEB",
"url": "https://gist.github.com/Nwqda/b27418ab801eb0b9cdbe8d042cb0249b"
},
{
"type": "WEB",
"url": "https://hytec.co.jp/eng/products/our-brand/hwl-2511-ss.html"
},
{
"type": "WEB",
"url": "https://hytec.co.jp/eng/wordpress/wp-content/uploads/2019/09/hwl-2511-ss-ds.3.0.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4Q7G-W286-MWC4
Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10Weak cryptography used for passwords in CA Privileged Access Manager 2.x reduces the complexity for password cracking.
{
"affected": [],
"aliases": [
"CVE-2018-9028"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-18T18:29:00Z",
"severity": "HIGH"
},
"details": "Weak cryptography used for passwords in CA Privileged Access Manager 2.x reduces the complexity for password cracking.",
"id": "GHSA-4q7g-w286-mwc4",
"modified": "2022-05-13T01:10:54Z",
"published": "2022-05-13T01:10:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9028"
},
{
"type": "WEB",
"url": "https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104496"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4QGP-FHJ8-CFM3
Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2022-05-10 00:00IBM Spectrum Scale 5.1.0 through 5.1.3.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 221012.
{
"affected": [],
"aliases": [
"CVE-2022-22368"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-03T19:15:00Z",
"severity": "HIGH"
},
"details": "IBM Spectrum Scale 5.1.0 through 5.1.3.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 221012.",
"id": "GHSA-4qgp-fhj8-cfm3",
"modified": "2022-05-10T00:00:27Z",
"published": "2022-05-04T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22368"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/221012"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6579139"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4WGF-9X5R-P938
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2023-07-06 23:26The str_rot_pass function in vendor/atholn1600/php-proxy/src/helpers.php in PHP-Proxy 5.1.0 uses weak cryptography, which makes it easier for attackers to calculate the authorization data needed for local file inclusion.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "athlon1600/php-proxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-19784"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-06T23:26:41Z",
"nvd_published_at": "2018-12-01T00:29:00Z",
"severity": "HIGH"
},
"details": "The [str_rot_pass](https://github.com/Athlon1600/php-proxy/blob/9cc42804ddafa079b86b947e4dd83852edddffca/src/helpers.php#L66) function in vendor/atholn1600/php-proxy/src/helpers.php in PHP-Proxy 5.1.0 uses weak cryptography, which makes it easier for attackers to calculate the authorization data needed for local file inclusion.",
"id": "GHSA-4wgf-9x5r-p938",
"modified": "2023-07-06T23:26:41Z",
"published": "2022-05-13T01:50:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19784"
},
{
"type": "WEB",
"url": "https://github.com/Athlon1600/php-proxy-app/issues/139"
},
{
"type": "WEB",
"url": "https://github.com/0xUhaw/CVE-Bins/tree/master/PHP-Proxy"
},
{
"type": "PACKAGE",
"url": "https://github.com/Athlon1600/php-proxy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Weak Cryptography in PHP-Proxy"
}
GHSA-4X5H-XMV4-99WX
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-10-18 16:28In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values.
We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.linkis:linkis"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-27987"
],
"database_specific": {
"cwe_ids": [
"CWE-294",
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-06T22:04:03Z",
"nvd_published_at": "2023-04-10T08:15:00Z",
"severity": "CRITICAL"
},
"details": "In Apache Linkis \u003c=1.3.1,\u00a0due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack.\u00a0Generation rules should add random values.\n\nWe recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization.",
"id": "GHSA-4x5h-xmv4-99wx",
"modified": "2024-10-18T16:28:11Z",
"published": "2023-07-06T19:24:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27987"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/linkis"
},
{
"type": "WEB",
"url": "https://linkis.apache.org/docs/latest/auth/token"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/3cr1cz3210wzwngldwrqzm43vwhghp0p"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2023/04/10/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Linkis Authentication Bypass vulnerability"
}
GHSA-565H-44M8-4C2V
Vulnerability from github – Published: 2025-07-18 18:30 – Updated: 2026-05-07 05:15A vulnerability was found in Xuxueli xxl-job up to 3.1.1 and classified as problematic. Affected by this issue is the function makeToken of the file src/main/java/com/xxl/job/admin/controller/IndexController.java of the component Token Generation. The manipulation leads to password hash with insufficient computational effort. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.1"
},
"package": {
"ecosystem": "Maven",
"name": "com.xuxueli:xxl-job-admin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-7789"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T05:15:45Z",
"nvd_published_at": "2025-07-18T16:15:31Z",
"severity": "LOW"
},
"details": "A vulnerability was found in Xuxueli xxl-job up to 3.1.1 and classified as problematic. Affected by this issue is the function makeToken of the file src/main/java/com/xxl/job/admin/controller/IndexController.java of the component Token Generation. The manipulation leads to password hash with insufficient computational effort. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-565h-44m8-4c2v",
"modified": "2026-05-07T05:15:45Z",
"published": "2025-07-18T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7789"
},
{
"type": "WEB",
"url": "https://github.com/xuxueli/xxl-job/issues/3751"
},
{
"type": "WEB",
"url": "https://github.com/xuxueli/xxl-job/commit/cb1bd548a6d9512aab6f1ba9c5686de62f863fcd"
},
{
"type": "PACKAGE",
"url": "https://github.com/xuxueli/xxl-job"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.316850"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.316850"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.615760"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "xxl-job has Inadequate Encryption Strength "
}
GHSA-56WG-JRCG-XC4Q
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2023-05-12 00:30IBM Security Verify Information Queue 1.0.6 and 1.0.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 198184.
{
"affected": [],
"aliases": [
"CVE-2021-20406"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-327"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-12T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Verify Information Queue 1.0.6 and 1.0.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 198184.",
"id": "GHSA-56wg-jrcg-xc4q",
"modified": "2023-05-12T00:30:16Z",
"published": "2022-05-24T17:42:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20406"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196184"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6414763"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-58PP-MQMQ-89C9
Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-17 18:30Improper cryptographic implementation in Samsung Flow for PC 4.9.14.0 allows adjacent attackers to decrypt encrypted messages or inject commands.
{
"affected": [],
"aliases": [
"CVE-2023-21444"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-09T19:15:00Z",
"severity": "HIGH"
},
"details": "Improper cryptographic implementation in Samsung Flow for PC 4.9.14.0 allows adjacent attackers to decrypt encrypted messages or inject commands.",
"id": "GHSA-58pp-mqmq-89c9",
"modified": "2023-02-17T18:30:25Z",
"published": "2023-02-09T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21444"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.