Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

631 vulnerabilities reference this CWE, most recent first.

GHSA-78J3-6R77-4FQX

Vulnerability from github – Published: 2022-05-05 00:29 – Updated: 2022-05-05 00:29
VLAI
Details

MobileIron VSP < 5.9.1 and Sentry < 5.0 has a weak password obfuscation algorithm

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-7286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-12T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "MobileIron VSP \u003c 5.9.1 and Sentry \u003c 5.0 has a weak password obfuscation algorithm",
  "id": "GHSA-78j3-6r77-4fqx",
  "modified": "2022-05-05T00:29:37Z",
  "published": "2022-05-05T00:29:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7286"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92352"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2014/Apr/21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-79MQ-68MF-P8FQ

Vulnerability from github – Published: 2023-05-17 03:30 – Updated: 2024-04-04 04:13
VLAI
Details

Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the communication of the software.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-17T01:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the communication of the software.",
  "id": "GHSA-79mq-68mf-p8fq",
  "modified": "2024-04-04T04:13:01Z",
  "published": "2023-05-17T03:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1764"
    },
    {
      "type": "WEB",
      "url": "https://psirt.canon/advisory-information/cp2023-002"
    },
    {
      "type": "WEB",
      "url": "https://psirt.canon/hardening"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7CH6-8WVC-R28C

Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-05-24 17:12
VLAI
Details

On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5.1, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, in a High Availability (HA) network failover in Device Service Cluster (DSC), the failover service does not require a strong form of authentication and HA network failover traffic is not encrypted by Transport Layer Security (TLS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-27T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5.1, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, in a High Availability (HA) network failover in Device Service Cluster (DSC), the failover service does not require a strong form of authentication and HA network failover traffic is not encrypted by Transport Layer Security (TLS).",
  "id": "GHSA-7ch6-8wvc-r28c",
  "modified": "2022-05-24T17:12:55Z",
  "published": "2022-05-24T17:12:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5860"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K67472032"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7CMJ-XMP5-MMR2

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-07-13 00:00
VLAI
Details

The NPort IA5000A Series devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-14T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The NPort IA5000A Series devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks.",
  "id": "GHSA-7cmj-xmp5-mmr2",
  "modified": "2022-07-13T00:00:50Z",
  "published": "2022-05-24T19:02:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27184"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klcert-20-020,"
    },
    {
      "type": "WEB",
      "url": "https://www.moxa.com/en/support/product-support/security-advisory/nport-ia5000a-serial-device-servers-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7FHV-RP66-Q6R9

Vulnerability from github – Published: 2023-02-13 03:30 – Updated: 2025-03-21 21:31
VLAI
Details

Driver Distributor v2.2.3.1 and earlier contains a vulnerability where passwords are stored in a recoverable format. If an attacker obtains a configuration file of Driver Distributor, the encrypted administrator's credentials may be decrypted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43460"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-13T02:21:00Z",
    "severity": "HIGH"
  },
  "details": "Driver Distributor v2.2.3.1 and earlier contains a vulnerability where passwords are stored in a recoverable format. If an attacker obtains a configuration file of Driver Distributor, the encrypted administrator\u0027s credentials may be decrypted.",
  "id": "GHSA-7fhv-rp66-q6r9",
  "modified": "2025-03-21T21:31:28Z",
  "published": "2023-02-13T03:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43460"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN22830348"
    },
    {
      "type": "WEB",
      "url": "https://www.fujifilm.com/fbglobal/eng/company/news/notice/2023/0131_announce.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7J63-969G-R2JP

Vulnerability from github – Published: 2022-10-17 19:00 – Updated: 2022-10-20 19:00
VLAI
Details

The Passster WordPress plugin before 3.5.5.5.2 stores the password inside a cookie named "passster" using base64 encoding method which is easy to decode. This puts the password at risk in case the cookies get leaked.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-17T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Passster WordPress plugin before 3.5.5.5.2 stores the password inside a cookie named \"passster\" using base64 encoding method which is easy to decode. This puts the password at risk in case the cookies get leaked.",
  "id": "GHSA-7j63-969g-r2jp",
  "modified": "2022-10-20T19:00:34Z",
  "published": "2022-10-17T19:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3206"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/a8963750-62bf-403e-a906-94f371ed2a7a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7M7F-V3GJ-5795

Vulnerability from github – Published: 2022-05-17 02:41 – Updated: 2022-05-17 02:41
VLAI
Details

IBM BigFix Compliance Analytics 1.9.79 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 123431.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-08T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM BigFix Compliance Analytics 1.9.79 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 123431.",
  "id": "GHSA-7m7f-v3gj-5795",
  "modified": "2022-05-17T02:41:09Z",
  "published": "2022-05-17T02:41:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1179"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/123431"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22004161"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98910"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7P78-G262-F9RP

Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2023-07-11 15:31
VLAI
Details

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-25T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "LibreOffice supports the storage of passwords for web connections in the user\u2019s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3.",
  "id": "GHSA-7p78-g262-f9rp",
  "modified": "2023-07-11T15:31:08Z",
  "published": "2022-07-26T00:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26307"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/08/13/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7P98-XCGC-GWHJ

Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2026-07-05 00:31
VLAI
Details

Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in STM32 cryptographic firmware library software expansion for STM32Cube (UM1924). The vulnerability can allow one to use Bleichenbacher's oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vulnerable library, resulting in remote information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-20949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-327"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-20T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Bleichenbacher\u0027s attack on PKCS #1 v1.5 padding for RSA in STM32 cryptographic firmware library software expansion for STM32Cube (UM1924). The vulnerability can allow one to use Bleichenbacher\u0027s oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vulnerable library, resulting in remote information disclosure.",
  "id": "GHSA-7p98-xcgc-gwhj",
  "modified": "2026-07-05T00:31:17Z",
  "published": "2022-05-24T17:39:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-20949"
    },
    {
      "type": "WEB",
      "url": "https://bi-zone.medium.com/silence-will-fall-or-how-it-can-take-2-years-to-get-your-vuln-registered-e6134846f5bb"
    },
    {
      "type": "WEB",
      "url": "https://www.st.com/en/embedded-software/x-cube-cryptolib.html"
    },
    {
      "type": "WEB",
      "url": "http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf"
    },
    {
      "type": "WEB",
      "url": "http://st.com"
    },
    {
      "type": "WEB",
      "url": "http://x-cube-cryptolib.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7Q95-85PH-5GRX

Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2024-08-12 15:30
VLAI
Details

Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: 4.x and 5.x

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21881"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-12T13:38:15Z",
    "severity": "HIGH"
  },
  "details": "Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: 4.x and 5.x",
  "id": "GHSA-7q95-85ph-5grx",
  "modified": "2024-08-12T15:30:49Z",
  "published": "2024-08-12T15:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21881"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/CVE-2024-21881"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/DIVD-2024-00011"
    },
    {
      "type": "WEB",
      "url": "https://enphase.com/cybersecurity/advisories/ensa-2024-6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:I/V:C/RE:H/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.