CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
631 vulnerabilities reference this CWE, most recent first.
GHSA-P723-W3QM-QPVW
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34Inadequate encryption strength in subsystem for Intel(R) CSME versions before 13.0.40 and 13.30.10 may allow an unauthenticated user to potentially enable information disclosure via physical access.
{
"affected": [],
"aliases": [
"CVE-2020-8761"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T18:15:00Z",
"severity": "MODERATE"
},
"details": "Inadequate encryption strength in subsystem for Intel(R) CSME versions before 13.0.40 and 13.30.10 may allow an unauthenticated user to potentially enable information disclosure via physical access.",
"id": "GHSA-p723-w3qm-qpvw",
"modified": "2022-05-24T17:34:14Z",
"published": "2022-05-24T17:34:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8761"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20201113-0002"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PC4M-VCWH-9C5H
Vulnerability from github – Published: 2022-11-01 19:00 – Updated: 2022-11-03 19:00The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to forged digital signatures. An attacker could forge the same digital signature of the app after maliciously modifying the app.
{
"affected": [],
"aliases": [
"CVE-2020-4099"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-01T18:15:00Z",
"severity": "HIGH"
},
"details": "The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to forged digital signatures. An attacker could forge the same digital signature of the app after maliciously modifying the app.",
"id": "GHSA-pc4m-vcwh-9c5h",
"modified": "2022-11-03T19:00:25Z",
"published": "2022-11-01T19:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4099"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0100861"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PC4P-7W58-PGG2
Vulnerability from github – Published: 2022-04-30 18:18 – Updated: 2024-02-14 18:30Pathways Homecare 6.5 uses weak encryption for user names and passwords, which allows local users to gain privileges by recovering the passwords from the pwhc.ini file.
{
"affected": [],
"aliases": [
"CVE-2001-1546"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2001-12-31T05:00:00Z",
"severity": "MODERATE"
},
"details": "Pathways Homecare 6.5 uses weak encryption for user names and passwords, which allows local users to gain privileges by recovering the passwords from the pwhc.ini file.",
"id": "GHSA-pc4p-7w58-pgg2",
"modified": "2024-02-14T18:30:21Z",
"published": "2022-04-30T18:18:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2001-1546"
},
{
"type": "WEB",
"url": "http://www.iss.net/security_center/static/7682.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/244367"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/3653"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFQV-VHWJ-2RJW
Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-11 18:31In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.
{
"affected": [],
"aliases": [
"CVE-2026-33361"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T17:16:30Z",
"severity": "HIGH"
},
"details": "In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (\u003c= 1.8.x), baby monitor \".jpgx3\" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.",
"id": "GHSA-pfqv-vhwj-2rjw",
"modified": "2026-05-11T18:31:45Z",
"published": "2026-05-11T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33361"
},
{
"type": "WEB",
"url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
},
{
"type": "WEB",
"url": "https://www.runzero.com/advisories/meari-weak-xor-obfuscation-cve-2026-33361"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PFV4-G52J-F26M
Vulnerability from github – Published: 2023-03-22 18:30 – Updated: 2023-03-22 18:30Experience Manager versions 6.5.15.0 (and earlier) are affected by a Weak Cryptography for Passwords vulnerability that can lead to a security feature bypass. A low-privileged attacker can exploit this in order to decrypt a user's password. The attack complexity is high since a successful exploitation requires to already have in possession this encrypted secret.
{
"affected": [],
"aliases": [
"CVE-2023-22271"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-22T17:15:00Z",
"severity": "MODERATE"
},
"details": "Experience Manager versions 6.5.15.0 (and earlier) are affected by a Weak Cryptography for Passwords vulnerability that can lead to a security feature bypass. A low-privileged attacker can exploit this in order to decrypt a user\u0027s password. The attack complexity is high since a successful exploitation requires to already have in possession this encrypted secret.",
"id": "GHSA-pfv4-g52j-f26m",
"modified": "2023-03-22T18:30:39Z",
"published": "2023-03-22T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22271"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb23-18.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PHPW-4P8W-67HR
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2023-08-08 15:31A reordering issue exists in Telegram before 7.8.1 for Android, Telegram before 7.8.3 for iOS, and Telegram Desktop before 2.8.8. An attacker can cause the server to receive messages in a different order than they were sent a client.
{
"affected": [],
"aliases": [
"CVE-2021-36769"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-17T00:15:00Z",
"severity": "MODERATE"
},
"details": "A reordering issue exists in Telegram before 7.8.1 for Android, Telegram before 7.8.3 for iOS, and Telegram Desktop before 2.8.8. An attacker can cause the server to receive messages in a different order than they were sent a client.",
"id": "GHSA-phpw-4p8w-67hr",
"modified": "2023-08-08T15:31:18Z",
"published": "2022-05-24T19:08:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36769"
},
{
"type": "WEB",
"url": "https://mtpsym.github.io"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PHVM-XXQQ-RG95
Vulnerability from github – Published: 2022-04-03 00:01 – Updated: 2022-04-12 00:01An attacker could decipher the encryption and gain access to MDT AutoSave versions prior to v6.02.06.
{
"affected": [],
"aliases": [
"CVE-2021-32945"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-01T23:15:00Z",
"severity": "HIGH"
},
"details": "An attacker could decipher the encryption and gain access to MDT AutoSave versions prior to v6.02.06.",
"id": "GHSA-phvm-xxqq-rg95",
"modified": "2022-04-12T00:01:11Z",
"published": "2022-04-03T00:01:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32945"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PP2F-P95F-2XHX
Vulnerability from github – Published: 2022-04-30 18:22 – Updated: 2024-02-14 18:30Microsoft SQL Server 6.0 through 2000, with SQL Authentication enabled, uses weak password encryption (XOR), which allows remote attackers to sniff and decrypt the password.
{
"affected": [],
"aliases": [
"CVE-2002-1872"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2002-12-31T05:00:00Z",
"severity": "MODERATE"
},
"details": "Microsoft SQL Server 6.0 through 2000, with SQL Authentication enabled, uses weak password encryption (XOR), which allows remote attackers to sniff and decrypt the password.",
"id": "GHSA-pp2f-p95f-2xhx",
"modified": "2024-02-14T18:30:22Z",
"published": "2022-04-30T18:22:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1872"
},
{
"type": "WEB",
"url": "http://online.securityfocus.com/archive/1/298361"
},
{
"type": "WEB",
"url": "http://www.iss.net/security_center/static/10542.php"
},
{
"type": "WEB",
"url": "http://www.nextgenss.com/papers/tp-SQL2000.pdf"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/6097"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PPP5-GGM8-7MMF
Vulnerability from github – Published: 2022-05-20 00:00 – Updated: 2022-06-01 00:00Inadequate encryption may allow the credentials used by Emerson OpenEnterprise, up through version 3.3.5, to access field devices and external systems to be obtained.
{
"affected": [],
"aliases": [
"CVE-2020-16235"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-19T18:15:00Z",
"severity": "MODERATE"
},
"details": "Inadequate encryption may allow the credentials used by Emerson OpenEnterprise, up through version 3.3.5, to access field devices and external systems to be obtained.",
"id": "GHSA-ppp5-ggm8-7mmf",
"modified": "2022-06-01T00:00:36Z",
"published": "2022-05-20T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16235"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-238-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PPX5-75JP-426P
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43On Samsung NVR devices, remote attackers can read the MD5 password hash of the 'admin' account via certain szUserName JSON data to cgi-bin/main-cgi, and login to the device with that hash in the szUserPasswd parameter.
{
"affected": [],
"aliases": [
"CVE-2017-14262"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-11T09:29:00Z",
"severity": "HIGH"
},
"details": "On Samsung NVR devices, remote attackers can read the MD5 password hash of the \u0027admin\u0027 account via certain szUserName JSON data to cgi-bin/main-cgi, and login to the device with that hash in the szUserPasswd parameter.",
"id": "GHSA-ppx5-75jp-426p",
"modified": "2022-05-13T01:43:21Z",
"published": "2022-05-13T01:43:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14262"
},
{
"type": "WEB",
"url": "https://github.com/zzz66686/Samsung_NVR_vul"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.