Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

632 vulnerabilities reference this CWE, most recent first.

GHSA-65V8-8343-JCQR

Vulnerability from github – Published: 2021-12-07 00:00 – Updated: 2022-07-13 00:01
VLAI
Details

Assuming a database breach, nonce reuse issues in GitLab 11.6+ allows an attacker to decrypt some of the database's encrypted content

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22170"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-06T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Assuming a database breach, nonce reuse issues in GitLab 11.6+ allows an attacker to decrypt some of the database\u0027s encrypted content",
  "id": "GHSA-65v8-8343-jcqr",
  "modified": "2022-07-13T00:01:08Z",
  "published": "2021-12-07T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22170"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22170.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/36855"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6655-7W5J-5H7J

Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-21 00:00
VLAI
Details

Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a Violation of Secure Design Principles vulnerability that could lead to bypass the security feature of the encryption mechanism in the backend . An attacker could leverage this vulnerability to decrypt secrets, however, this is a high-complexity attack as the threat actor needs to already possess those secrets. Exploitation of this issue requires low-privilege access to AEM.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30683"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-657"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-16T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a Violation of Secure Design Principles vulnerability that could lead to bypass the security feature of the encryption mechanism in the backend . An attacker could leverage this vulnerability to decrypt secrets, however, this is a high-complexity attack as the threat actor needs to already possess those secrets. Exploitation of this issue requires low-privilege access to AEM.",
  "id": "GHSA-6655-7w5j-5h7j",
  "modified": "2022-09-21T00:00:38Z",
  "published": "2022-09-17T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30683"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-66VF-XW82-P57G

Vulnerability from github – Published: 2023-11-06 21:31 – Updated: 2023-11-06 21:31
VLAI
Details

Weak ciphers in Softing smartLink SW-HT before 1.30 are enabled during secure communication (SSL).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48193"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-06T20:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Weak ciphers in Softing smartLink SW-HT before 1.30 are enabled during secure communication (SSL).",
  "id": "GHSA-66vf-xw82-p57g",
  "modified": "2023-11-06T21:31:08Z",
  "published": "2023-11-06T21:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48193"
    },
    {
      "type": "WEB",
      "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-11.html"
    },
    {
      "type": "WEB",
      "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-11.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-678C-G967-VV47

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20
VLAI
Details

An information disclosure vulnerability was reported in some Motorola-branded Binatone Hubble Cameras that could allow an attacker with physical access to obtain the encryption key used to decrypt firmware update packages.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-12T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability was reported in some Motorola-branded Binatone Hubble Cameras that could allow an attacker with physical access to obtain the encryption key used to decrypt firmware update packages.",
  "id": "GHSA-678c-g967-vv47",
  "modified": "2022-05-24T19:20:29Z",
  "published": "2022-05-24T19:20:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3789"
    },
    {
      "type": "WEB",
      "url": "https://binatoneglobal.com/security-advisory"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-67FJ-6W6M-W5J8

Vulnerability from github – Published: 2022-05-25 22:34 – Updated: 2022-05-25 22:34
VLAI
Summary
Reversible One-Way Hash in io.github.javaezlib:JavaEZ
Details

Impact

This weakness allows the force decryption of locked text by hackers. The issue is NOT critical for non-secure applications, however may be critical in a situation where the highest levels of security are required. This issue ONLY affects v1.6 and does not affect anything pre-1.6. Upgrading to 1.7 is advised.

Patches

The vulnerability has been patched in release 1.7.

Workarounds

Currently there is no way to fix the issue without upgrading.

References

CWE-327 CWE-328

For more information

If you have any questions or comments about this advisory: * Open an issue in our issue tracker * Email us at javaezlib@gmail.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.github.javaezlib:JavaEZ"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6"
            },
            {
              "fixed": "1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.6"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-327",
      "CWE-328"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-25T22:34:15Z",
    "nvd_published_at": "2022-05-24T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThis weakness allows the force decryption of locked text by hackers. The issue is NOT critical for non-secure applications, however may be critical in a situation where the highest levels of security are required. This issue ONLY affects v1.6 and does not affect anything pre-1.6. Upgrading to 1.7 is advised.\n\n### Patches\nThe vulnerability has been patched in release 1.7.\n\n### Workarounds\nCurrently there is no way to fix the issue without upgrading.\n\n### References\n[CWE-327](https://cwe.mitre.org/data/definitions/327.html)\n[CWE-328](https://cwe.mitre.org/data/definitions/328.html)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [our issue tracker](http://github.com/JavaEZLib/JavaEZ/issues)\n* Email us at [javaezlib@gmail.com](mailto:javaezlib@gmail.com)\n",
  "id": "GHSA-67fj-6w6m-w5j8",
  "modified": "2022-05-25T22:34:15Z",
  "published": "2022-05-25T22:34:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/JavaEZLib/JavaEZ/security/advisories/GHSA-67fj-6w6m-w5j8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29249"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/JavaEZLib/JavaEZ"
    },
    {
      "type": "WEB",
      "url": "https://github.com/JavaEZLib/JavaEZ/releases/tag/1.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Reversible One-Way Hash in io.github.javaezlib:JavaEZ"
}

GHSA-67RP-QVHX-GP49

Vulnerability from github – Published: 2022-05-14 04:03 – Updated: 2022-05-14 04:03
VLAI
Details

A vulnerability in Trend Micro ScanMail for Exchange 12.0 exists in which some communications to the update servers are not encrypted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-16T02:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in Trend Micro ScanMail for Exchange 12.0 exists in which some communications to the update servers are not encrypted.",
  "id": "GHSA-67rp-qvhx-gp49",
  "modified": "2022-05-14T04:03:37Z",
  "published": "2022-05-14T04:03:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14090"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/solution/1118486"
    },
    {
      "type": "WEB",
      "url": "https://www.coresecurity.com/advisories/trend-micro-scanmail-microsoft-exchange-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68PF-56RH-7FJ8

Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53
VLAI
Details

comforte SWAP 1049 through 1069 and 20.0.0 through 21.5.3 (as used in SSLOBJ on HPE NonStop SSL T0910, and in the comforte SecurCS, SecurFTP, SecurLib/SSL-AT, and SecurTN products), after executing the RELOAD CERTIFICATES command, does not ensure that clients use a strong TLS cipher suite, which makes it easier for remote attackers to defeat intended cryptographic protection mechanisms by sniffing the network. This is fixed in 21.6.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-01T00:29:00Z",
    "severity": "MODERATE"
  },
  "details": "comforte SWAP 1049 through 1069 and 20.0.0 through 21.5.3 (as used in SSLOBJ on HPE NonStop SSL T0910, and in the comforte SecurCS, SecurFTP, SecurLib/SSL-AT, and SecurTN products), after executing the RELOAD CERTIFICATES command, does not ensure that clients use a strong TLS cipher suite, which makes it easier for remote attackers to defeat intended cryptographic protection mechanisms by sniffing the network. This is fixed in 21.6.0.",
  "id": "GHSA-68pf-56rh-7fj8",
  "modified": "2022-05-13T01:53:09Z",
  "published": "2022-05-13T01:53:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6653"
    },
    {
      "type": "WEB",
      "url": "https://comforte.com/cve-2018-6653"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbns03827en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-69H6-426Q-XX8G

Vulnerability from github – Published: 2023-07-05 21:30 – Updated: 2024-04-04 05:23
VLAI
Details

AMI SPx contains a vulnerability in the BMC where a user may cause an inadequate encryption strength by hash-based message authentication code (HMAC). A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity, and availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-05T19:15:09Z",
    "severity": "HIGH"
  },
  "details": "\nAMI SPx contains a vulnerability in the BMC where a user may cause an inadequate encryption strength by hash-based message authentication code (HMAC). A successful exploit of this vulnerability\u00a0may lead to a loss of confidentiality, integrity, and availability. \n\n\n\n",
  "id": "GHSA-69h6-426q-xx8g",
  "modified": "2024-04-04T05:23:56Z",
  "published": "2023-07-05T21:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34337"
    },
    {
      "type": "WEB",
      "url": "https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023006.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6CH4-944P-WF7J

Vulnerability from github – Published: 2025-08-07 21:31 – Updated: 2025-08-12 15:31
VLAI
Details

ruby-jwt v3.0.0.beta1 was discovered to contain weak encryption. NOTE: the Supplier's perspective is "keysize is not something that is enforced by this library. Currently more recent versions of OpenSSL are enforcing some key sizes and those restrictions apply to the users of this gem also."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-45765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-07T21:15:27Z",
    "severity": "CRITICAL"
  },
  "details": "ruby-jwt v3.0.0.beta1 was discovered to contain weak encryption. NOTE: the Supplier\u0027s perspective is \"keysize is not something that is enforced by this library. Currently more recent versions of OpenSSL are enforcing some key sizes and those restrictions apply to the users of this gem also.\"",
  "id": "GHSA-6ch4-944p-wf7j",
  "modified": "2025-08-12T15:31:15Z",
  "published": "2025-08-07T21:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45765"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jwt/ruby-jwt/issues/668"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/ZupeiNie/c621253068ce5b64911629534879e8f9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6FQJ-W26X-Q42V

Vulnerability from github – Published: 2021-12-02 00:00 – Updated: 2021-12-03 00:00
VLAI
Details

IBM QRadar SIEM 7.3 and 7.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 196074.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20400"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-01T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM QRadar SIEM 7.3 and 7.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 196074.",
  "id": "GHSA-6fqj-w26x-q42v",
  "modified": "2021-12-03T00:00:43Z",
  "published": "2021-12-02T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20400"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196074"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6520488"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.