Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

631 vulnerabilities reference this CWE, most recent first.

GHSA-4HV2-R2P9-22RQ

Vulnerability from github – Published: 2022-02-25 00:01 – Updated: 2022-03-08 00:00
VLAI
Details

Inadequate encryption may allow the passwords for Emerson OpenEnterprise versions through 3.3.4 user accounts to be obtained.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10636"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-24T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Inadequate encryption may allow the passwords for Emerson OpenEnterprise versions through 3.3.4 user accounts to be obtained.",
  "id": "GHSA-4hv2-r2p9-22rq",
  "modified": "2022-03-08T00:00:41Z",
  "published": "2022-02-25T00:01:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10636"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4MJP-P7H5-XHFJ

Vulnerability from github – Published: 2024-08-02 00:31 – Updated: 2024-08-09 21:31
VLAI
Details

Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-01T22:15:24Z",
    "severity": "CRITICAL"
  },
  "details": "Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange",
  "id": "GHSA-4mjp-p7h5-xhfj",
  "modified": "2024-08-09T21:31:35Z",
  "published": "2024-08-02T00:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32758"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-01"
    },
    {
      "type": "WEB",
      "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4Q2F-2VFX-8GG8

Vulnerability from github – Published: 2022-08-30 00:00 – Updated: 2022-09-02 00:01
VLAI
Details

Hytec Inter HWL-2511-SS v1.05 and below implements a SHA512crypt hash for the root account which can be easily cracked via a brute-force attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36555"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-29T23:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Hytec Inter HWL-2511-SS v1.05 and below implements a SHA512crypt hash for the root account which can be easily cracked via a brute-force attack.",
  "id": "GHSA-4q2f-2vfx-8gg8",
  "modified": "2022-09-02T00:01:02Z",
  "published": "2022-08-30T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36555"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Nwqda/b27418ab801eb0b9cdbe8d042cb0249b"
    },
    {
      "type": "WEB",
      "url": "https://hytec.co.jp/eng/products/our-brand/hwl-2511-ss.html"
    },
    {
      "type": "WEB",
      "url": "https://hytec.co.jp/eng/wordpress/wp-content/uploads/2019/09/hwl-2511-ss-ds.3.0.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4Q7G-W286-MWC4

Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10
VLAI
Details

Weak cryptography used for passwords in CA Privileged Access Manager 2.x reduces the complexity for password cracking.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9028"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-18T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "Weak cryptography used for passwords in CA Privileged Access Manager 2.x reduces the complexity for password cracking.",
  "id": "GHSA-4q7g-w286-mwc4",
  "modified": "2022-05-13T01:10:54Z",
  "published": "2022-05-13T01:10:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9028"
    },
    {
      "type": "WEB",
      "url": "https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104496"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4QGP-FHJ8-CFM3

Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2022-05-10 00:00
VLAI
Details

IBM Spectrum Scale 5.1.0 through 5.1.3.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 221012.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-03T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Spectrum Scale 5.1.0 through 5.1.3.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 221012.",
  "id": "GHSA-4qgp-fhj8-cfm3",
  "modified": "2022-05-10T00:00:27Z",
  "published": "2022-05-04T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22368"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/221012"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6579139"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4WGF-9X5R-P938

Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2023-07-06 23:26
VLAI
Summary
Weak Cryptography in PHP-Proxy
Details

The str_rot_pass function in vendor/atholn1600/php-proxy/src/helpers.php in PHP-Proxy 5.1.0 uses weak cryptography, which makes it easier for attackers to calculate the authorization data needed for local file inclusion.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "athlon1600/php-proxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-19784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-06T23:26:41Z",
    "nvd_published_at": "2018-12-01T00:29:00Z",
    "severity": "HIGH"
  },
  "details": "The [str_rot_pass](https://github.com/Athlon1600/php-proxy/blob/9cc42804ddafa079b86b947e4dd83852edddffca/src/helpers.php#L66) function in vendor/atholn1600/php-proxy/src/helpers.php in PHP-Proxy 5.1.0 uses weak cryptography, which makes it easier for attackers to calculate the authorization data needed for local file inclusion.",
  "id": "GHSA-4wgf-9x5r-p938",
  "modified": "2023-07-06T23:26:41Z",
  "published": "2022-05-13T01:50:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19784"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Athlon1600/php-proxy-app/issues/139"
    },
    {
      "type": "WEB",
      "url": "https://github.com/0xUhaw/CVE-Bins/tree/master/PHP-Proxy"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Athlon1600/php-proxy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Weak Cryptography in PHP-Proxy"
}

GHSA-4X5H-XMV4-99WX

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-10-18 16:28
VLAI
Summary
Apache Linkis Authentication Bypass vulnerability
Details

In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values.

We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.linkis:linkis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-27987"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-294",
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-06T22:04:03Z",
    "nvd_published_at": "2023-04-10T08:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Apache Linkis \u003c=1.3.1,\u00a0due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack.\u00a0Generation rules should add random values.\n\nWe recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization.",
  "id": "GHSA-4x5h-xmv4-99wx",
  "modified": "2024-10-18T16:28:11Z",
  "published": "2023-07-06T19:24:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27987"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/linkis"
    },
    {
      "type": "WEB",
      "url": "https://linkis.apache.org/docs/latest/auth/token"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/3cr1cz3210wzwngldwrqzm43vwhghp0p"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2023/04/10/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Linkis Authentication Bypass vulnerability"
}

GHSA-565H-44M8-4C2V

Vulnerability from github – Published: 2025-07-18 18:30 – Updated: 2026-05-07 05:15
VLAI
Summary
xxl-job has Inadequate Encryption Strength
Details

A vulnerability was found in Xuxueli xxl-job up to 3.1.1 and classified as problematic. Affected by this issue is the function makeToken of the file src/main/java/com/xxl/job/admin/controller/IndexController.java of the component Token Generation. The manipulation leads to password hash with insufficient computational effort. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.xuxueli:xxl-job-admin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-7789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T05:15:45Z",
    "nvd_published_at": "2025-07-18T16:15:31Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was found in Xuxueli xxl-job up to 3.1.1 and classified as problematic. Affected by this issue is the function makeToken of the file src/main/java/com/xxl/job/admin/controller/IndexController.java of the component Token Generation. The manipulation leads to password hash with insufficient computational effort. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-565h-44m8-4c2v",
  "modified": "2026-05-07T05:15:45Z",
  "published": "2025-07-18T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7789"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xuxueli/xxl-job/issues/3751"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xuxueli/xxl-job/commit/cb1bd548a6d9512aab6f1ba9c5686de62f863fcd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xuxueli/xxl-job"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.316850"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.316850"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.615760"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "xxl-job has Inadequate Encryption Strength "
}

GHSA-56WG-JRCG-XC4Q

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2023-05-12 00:30
VLAI
Details

IBM Security Verify Information Queue 1.0.6 and 1.0.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 198184.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20406"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-327"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-12T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Verify Information Queue 1.0.6 and 1.0.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 198184.",
  "id": "GHSA-56wg-jrcg-xc4q",
  "modified": "2023-05-12T00:30:16Z",
  "published": "2022-05-24T17:42:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20406"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196184"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6414763"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58PP-MQMQ-89C9

Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-17 18:30
VLAI
Details

Improper cryptographic implementation in Samsung Flow for PC 4.9.14.0 allows adjacent attackers to decrypt encrypted messages or inject commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21444"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-09T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper cryptographic implementation in Samsung Flow for PC 4.9.14.0 allows adjacent attackers to decrypt encrypted messages or inject commands.",
  "id": "GHSA-58pp-mqmq-89c9",
  "modified": "2023-02-17T18:30:25Z",
  "published": "2023-02-09T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21444"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.