CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
631 vulnerabilities reference this CWE, most recent first.
GHSA-78J3-6R77-4FQX
Vulnerability from github – Published: 2022-05-05 00:29 – Updated: 2022-05-05 00:29MobileIron VSP < 5.9.1 and Sentry < 5.0 has a weak password obfuscation algorithm
{
"affected": [],
"aliases": [
"CVE-2013-7286"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-12T18:15:00Z",
"severity": "MODERATE"
},
"details": "MobileIron VSP \u003c 5.9.1 and Sentry \u003c 5.0 has a weak password obfuscation algorithm",
"id": "GHSA-78j3-6r77-4fqx",
"modified": "2022-05-05T00:29:37Z",
"published": "2022-05-05T00:29:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7286"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92352"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2014/Apr/21"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-79MQ-68MF-P8FQ
Vulnerability from github – Published: 2023-05-17 03:30 – Updated: 2024-04-04 04:13Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the communication of the software.
{
"affected": [],
"aliases": [
"CVE-2023-1764"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-17T01:15:09Z",
"severity": "MODERATE"
},
"details": "Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the communication of the software.",
"id": "GHSA-79mq-68mf-p8fq",
"modified": "2024-04-04T04:13:01Z",
"published": "2023-05-17T03:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1764"
},
{
"type": "WEB",
"url": "https://psirt.canon/advisory-information/cp2023-002"
},
{
"type": "WEB",
"url": "https://psirt.canon/hardening"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7CH6-8WVC-R28C
Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-05-24 17:12On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5.1, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, in a High Availability (HA) network failover in Device Service Cluster (DSC), the failover service does not require a strong form of authentication and HA network failover traffic is not encrypted by Transport Layer Security (TLS).
{
"affected": [],
"aliases": [
"CVE-2020-5860"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-27T15:15:00Z",
"severity": "MODERATE"
},
"details": "On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5.1, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, in a High Availability (HA) network failover in Device Service Cluster (DSC), the failover service does not require a strong form of authentication and HA network failover traffic is not encrypted by Transport Layer Security (TLS).",
"id": "GHSA-7ch6-8wvc-r28c",
"modified": "2022-05-24T17:12:55Z",
"published": "2022-05-24T17:12:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5860"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K67472032"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7CMJ-XMP5-MMR2
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-07-13 00:00The NPort IA5000A Series devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks.
{
"affected": [],
"aliases": [
"CVE-2020-27184"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-14T13:15:00Z",
"severity": "MODERATE"
},
"details": "The NPort IA5000A Series devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks.",
"id": "GHSA-7cmj-xmp5-mmr2",
"modified": "2022-07-13T00:00:50Z",
"published": "2022-05-24T19:02:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27184"
},
{
"type": "WEB",
"url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klcert-20-020,"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/nport-ia5000a-serial-device-servers-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7FHV-RP66-Q6R9
Vulnerability from github – Published: 2023-02-13 03:30 – Updated: 2025-03-21 21:31Driver Distributor v2.2.3.1 and earlier contains a vulnerability where passwords are stored in a recoverable format. If an attacker obtains a configuration file of Driver Distributor, the encrypted administrator's credentials may be decrypted.
{
"affected": [],
"aliases": [
"CVE-2022-43460"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-13T02:21:00Z",
"severity": "HIGH"
},
"details": "Driver Distributor v2.2.3.1 and earlier contains a vulnerability where passwords are stored in a recoverable format. If an attacker obtains a configuration file of Driver Distributor, the encrypted administrator\u0027s credentials may be decrypted.",
"id": "GHSA-7fhv-rp66-q6r9",
"modified": "2025-03-21T21:31:28Z",
"published": "2023-02-13T03:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43460"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN22830348"
},
{
"type": "WEB",
"url": "https://www.fujifilm.com/fbglobal/eng/company/news/notice/2023/0131_announce.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7J63-969G-R2JP
Vulnerability from github – Published: 2022-10-17 19:00 – Updated: 2022-10-20 19:00The Passster WordPress plugin before 3.5.5.5.2 stores the password inside a cookie named "passster" using base64 encoding method which is easy to decode. This puts the password at risk in case the cookies get leaked.
{
"affected": [],
"aliases": [
"CVE-2022-3206"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-17T12:15:00Z",
"severity": "MODERATE"
},
"details": "The Passster WordPress plugin before 3.5.5.5.2 stores the password inside a cookie named \"passster\" using base64 encoding method which is easy to decode. This puts the password at risk in case the cookies get leaked.",
"id": "GHSA-7j63-969g-r2jp",
"modified": "2022-10-20T19:00:34Z",
"published": "2022-10-17T19:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3206"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/a8963750-62bf-403e-a906-94f371ed2a7a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7M7F-V3GJ-5795
Vulnerability from github – Published: 2022-05-17 02:41 – Updated: 2022-05-17 02:41IBM BigFix Compliance Analytics 1.9.79 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 123431.
{
"affected": [],
"aliases": [
"CVE-2017-1179"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-08T21:29:00Z",
"severity": "MODERATE"
},
"details": "IBM BigFix Compliance Analytics 1.9.79 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 123431.",
"id": "GHSA-7m7f-v3gj-5795",
"modified": "2022-05-17T02:41:09Z",
"published": "2022-05-17T02:41:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1179"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/123431"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22004161"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98910"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7P78-G262-F9RP
Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2023-07-11 15:31LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3.
{
"affected": [],
"aliases": [
"CVE-2022-26307"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-25T15:15:00Z",
"severity": "HIGH"
},
"details": "LibreOffice supports the storage of passwords for web connections in the user\u2019s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3.",
"id": "GHSA-7p78-g262-f9rp",
"modified": "2023-07-11T15:31:08Z",
"published": "2022-07-26T00:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26307"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
},
{
"type": "WEB",
"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/08/13/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7P98-XCGC-GWHJ
Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2026-07-05 00:31Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in STM32 cryptographic firmware library software expansion for STM32Cube (UM1924). The vulnerability can allow one to use Bleichenbacher's oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vulnerable library, resulting in remote information disclosure.
{
"affected": [],
"aliases": [
"CVE-2020-20949"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-327"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-20T16:15:00Z",
"severity": "MODERATE"
},
"details": "Bleichenbacher\u0027s attack on PKCS #1 v1.5 padding for RSA in STM32 cryptographic firmware library software expansion for STM32Cube (UM1924). The vulnerability can allow one to use Bleichenbacher\u0027s oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vulnerable library, resulting in remote information disclosure.",
"id": "GHSA-7p98-xcgc-gwhj",
"modified": "2026-07-05T00:31:17Z",
"published": "2022-05-24T17:39:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-20949"
},
{
"type": "WEB",
"url": "https://bi-zone.medium.com/silence-will-fall-or-how-it-can-take-2-years-to-get-your-vuln-registered-e6134846f5bb"
},
{
"type": "WEB",
"url": "https://www.st.com/en/embedded-software/x-cube-cryptolib.html"
},
{
"type": "WEB",
"url": "http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf"
},
{
"type": "WEB",
"url": "http://st.com"
},
{
"type": "WEB",
"url": "http://x-cube-cryptolib.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7Q95-85PH-5GRX
Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2024-08-12 15:30Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: 4.x and 5.x
{
"affected": [],
"aliases": [
"CVE-2024-21881"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-12T13:38:15Z",
"severity": "HIGH"
},
"details": "Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: 4.x and 5.x",
"id": "GHSA-7q95-85ph-5grx",
"modified": "2024-08-12T15:30:49Z",
"published": "2024-08-12T15:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21881"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/CVE-2024-21881"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/DIVD-2024-00011"
},
{
"type": "WEB",
"url": "https://enphase.com/cybersecurity/advisories/ensa-2024-6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:I/V:C/RE:H/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.