CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
631 vulnerabilities reference this CWE, most recent first.
GHSA-WV2H-444W-8XV6
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04The host SSH servers of Brocade Fabric OS before Brocade Fabric OS v7.4.2h, v8.2.1c, v8.2.2, v9.0.0, and Brocade SANnav before v2.1.1 utilize keys of less than 2048 bits, which may be vulnerable to man-in-the-middle attacks and/or insecure SSH communications.
{
"affected": [],
"aliases": [
"CVE-2020-15387"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-09T16:15:00Z",
"severity": "HIGH"
},
"details": "The host SSH servers of Brocade Fabric OS before Brocade Fabric OS v7.4.2h, v8.2.1c, v8.2.2, v9.0.0, and Brocade SANnav before v2.1.1 utilize keys of less than 2048 bits, which may be vulnerable to man-in-the-middle attacks and/or insecure SSH communications.",
"id": "GHSA-wv2h-444w-8xv6",
"modified": "2022-05-24T19:04:32Z",
"published": "2022-05-24T19:04:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15387"
},
{
"type": "WEB",
"url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2021-1291"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WVCV-832Q-FJG7
Vulnerability from github – Published: 2020-12-21 16:56 – Updated: 2024-11-13 23:01Impact
The code that performs decryption and padding check in RSA PKCS#1 v1.5 decryption is data dependant. In particular, code in current (as of 0.8.0-alpha38) master https://github.com/tlsfuzzer/tlslite-ng/blob/0812ed60860fa61a6573b2c0e18771414958f46d/tlslite/utils/rsakey.py#L407-L441 and code in 0.7.5 branch https://github.com/tlsfuzzer/tlslite-ng/blob/acdde3161124d6ae37c506b3476aea9996d12e97/tlslite/utils/rsakey.py#L394-L425 has multiple ways in which it leaks information (for one, it aborts as soon as the plaintext doesn't start with 0x00, 0x02) about the decrypted ciphertext (both the bit length of the decrypted message as well as where the first unexpected byte lays).
All TLS servers that enable RSA key exchange as well as applications that use the RSA decryption API directly are vulnerable.
All previous versions of tlslite-ng are vulnerable.
Patches
The patches to fix it are proposed in https://github.com/tlsfuzzer/tlslite-ng/pull/438 https://github.com/tlsfuzzer/tlslite-ng/pull/439
Note: the patches depend on Python processing the individual bytes in side-channel free manner, this is known to not be the case: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/ As such, users that require side-channel resistance are recommended to use different TLS implementations, as stated in the security policy of tlslite-ng.
Workarounds
There is no way to workaround this issue.
References
https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
For more information
If you have any questions or comments about this advisory please open an issue in tlslite-ng.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tlslite-ng"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26263"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2020-12-21T16:55:47Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nThe code that performs decryption and padding check in RSA PKCS#1 v1.5 decryption is data dependant.\nIn particular, code in current (as of 0.8.0-alpha38) master\nhttps://github.com/tlsfuzzer/tlslite-ng/blob/0812ed60860fa61a6573b2c0e18771414958f46d/tlslite/utils/rsakey.py#L407-L441\nand code in 0.7.5 branch\nhttps://github.com/tlsfuzzer/tlslite-ng/blob/acdde3161124d6ae37c506b3476aea9996d12e97/tlslite/utils/rsakey.py#L394-L425\nhas multiple ways in which it leaks information (for one, it aborts as soon as the plaintext doesn\u0027t start with 0x00, 0x02) about the decrypted ciphertext (both the bit length of the decrypted message as well as where the first unexpected byte lays).\n\nAll TLS servers that enable RSA key exchange as well as applications that use the RSA decryption API directly are vulnerable.\n\nAll previous versions of tlslite-ng are vulnerable.\n\n### Patches\nThe patches to fix it are proposed in \nhttps://github.com/tlsfuzzer/tlslite-ng/pull/438\nhttps://github.com/tlsfuzzer/tlslite-ng/pull/439\n\nNote: the patches depend on Python processing the individual bytes in side-channel free manner, this is known to not be the case: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/\nAs such, users that require side-channel resistance are recommended to use different TLS implementations, as stated in the [security policy](https://github.com/tlsfuzzer/tlslite-ng/blob/master/SECURITY.md) of tlslite-ng.\n\n### Workarounds\nThere is no way to workaround this issue.\n\n### References\nhttps://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/\n\n### For more information\nIf you have any questions or comments about this advisory please open an issue in [tlslite-ng](https://github.com/tlsfuzzer/tlslite-ng/issues).",
"id": "GHSA-wvcv-832q-fjg7",
"modified": "2024-11-13T23:01:33Z",
"published": "2020-12-21T16:56:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tlsfuzzer/tlslite-ng/security/advisories/GHSA-wvcv-832q-fjg7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26263"
},
{
"type": "WEB",
"url": "https://github.com/tlsfuzzer/tlslite-ng/pull/438"
},
{
"type": "WEB",
"url": "https://github.com/tlsfuzzer/tlslite-ng/pull/439"
},
{
"type": "WEB",
"url": "https://github.com/tlsfuzzer/tlslite-ng/commit/c28d6d387bba59d8bd5cb3ba15edc42edf54b368"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tlslite-ng/PYSEC-2020-143.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tlsfuzzer/tlslite-ng"
},
{
"type": "WEB",
"url": "https://pypi.org/project/tlslite-ng"
},
{
"type": "WEB",
"url": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "RSA weakness in tslite-ng"
}
GHSA-WW3W-592J-5QRW
Vulnerability from github – Published: 2022-05-17 01:17 – Updated: 2024-04-25 21:00The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first 16 bytes of the secret key as the initialization vector (IV).
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "simplesamlphp/simplesamlphp"
},
"ranges": [
{
"events": [
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-12871"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-25T21:00:11Z",
"nvd_published_at": "2017-09-01T21:29:00Z",
"severity": "MODERATE"
},
"details": "The aesEncrypt method in `lib/SimpleSAML/Utils/Crypto.php` in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first 16 bytes of the secret key as the initialization vector (IV).",
"id": "GHSA-ww3w-592j-5qrw",
"modified": "2024-04-25T21:00:11Z",
"published": "2022-05-17T01:17:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12871"
},
{
"type": "WEB",
"url": "https://github.com/simplesamlphp/simplesamlphp/commit/77df6a932d46daa35e364925eb73a175010dc904"
},
{
"type": "WEB",
"url": "https://github.com/simplesamlphp/simplesamlphp/commit/ccf75981187aa88f7165abdb1b1965c0934acda0"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12871.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/simplesamlphp/simplesamlphp"
},
{
"type": "WEB",
"url": "https://simplesamlphp.org/security/201703-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "SimpleSAMLphp Incorrect IV generation for encryption"
}
GHSA-WWCP-6F37-8CHW
Vulnerability from github – Published: 2026-06-03 21:30 – Updated: 2026-06-04 15:30Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data.
{
"affected": [],
"aliases": [
"CVE-2026-8878"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-03T19:16:39Z",
"severity": "HIGH"
},
"details": "Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data.",
"id": "GHSA-wwcp-6f37-8chw",
"modified": "2026-06-04T15:30:33Z",
"published": "2026-06-03T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8878"
},
{
"type": "WEB",
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WWWX-FGW9-364C
Vulnerability from github – Published: 2022-05-24 22:29 – Updated: 2022-05-24 22:29IBM Curam Social Program Management 7.0.9 and 7.0.10 uses MD5 algorithm for hashing token in a single instance which less safe than default SHA-256 cryptographic algorithm used throughout the Cúram application. IBM X-Force ID: 189156.
{
"affected": [],
"aliases": [
"CVE-2020-4778"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-12T13:15:00Z",
"severity": "HIGH"
},
"details": "IBM Curam Social Program Management 7.0.9 and 7.0.10 uses MD5 algorithm for hashing token in a single instance which less safe than default SHA-256 cryptographic algorithm used throughout the C\u00c3\u00baram application. IBM X-Force ID: 189156.",
"id": "GHSA-wwwx-fgw9-364c",
"modified": "2022-05-24T22:29:04Z",
"published": "2022-05-24T22:29:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4778"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/189156"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6346575"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WX47-2XF5-P653
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM WebShere MQ 9.1.0.0, 9.1.0.1, 9.1.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 152925.
{
"affected": [],
"aliases": [
"CVE-2018-1925"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-15T15:29:00Z",
"severity": "MODERATE"
},
"details": "IBM WebShere MQ 9.1.0.0, 9.1.0.1, 9.1.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 152925.",
"id": "GHSA-wx47-2xf5-p653",
"modified": "2022-05-13T01:32:29Z",
"published": "2022-05-13T01:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1925"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/152925"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10744713"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X2Q6-5P25-FRJ9
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38IBM Security Guardium Insights 2.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 184812.
{
"affected": [],
"aliases": [
"CVE-2020-4596"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-13T19:15:00Z",
"severity": "HIGH"
},
"details": "IBM Security Guardium Insights 2.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 184812.",
"id": "GHSA-x2q6-5p25-frj9",
"modified": "2022-05-24T17:38:59Z",
"published": "2022-05-24T17:38:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4596"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184821"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6403463"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X2QP-W4JG-WV76
Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-17 00:00Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice
{
"affected": [],
"aliases": [
"CVE-2022-37400"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-15T11:21:00Z",
"severity": "HIGH"
},
"details": "Apache OpenOffice supports the storage of passwords for web connections in the user\u0027s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user\u0027s configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26306 - LibreOffice",
"id": "GHSA-x2qp-w4jg-wv76",
"modified": "2022-08-17T00:00:23Z",
"published": "2022-08-16T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37400"
},
{
"type": "WEB",
"url": "https://www.openoffice.org/security/cves/CVE-2022-37400.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/08/13/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X5MH-3HVM-9J36
Vulnerability from github – Published: 2023-06-02 18:30 – Updated: 2024-04-04 04:30Under certain circumstances, a call to the bind function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
{
"affected": [],
"aliases": [
"CVE-2023-29549"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-02T17:15:12Z",
"severity": "MODERATE"
},
"details": "Under certain circumstances, a call to the \u003ccode\u003ebind\u003c/code\u003e function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES. This vulnerability affects Firefox for Android \u003c 112, Firefox \u003c 112, and Focus for Android \u003c 112.",
"id": "GHSA-x5mh-3hvm-9j36",
"modified": "2024-04-04T04:30:51Z",
"published": "2023-06-02T18:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29549"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1823042"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2023-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X66H-PV23-HVPJ
Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24The nsSOCKSSocketInfo::ConnectToProxy function in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not ensure thread safety for SSL sessions, which allows remote attackers to execute arbitrary code via crafted data, as demonstrated by e-mail message data.
{
"affected": [],
"aliases": [
"CVE-2013-0764"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-01-13T20:55:00Z",
"severity": "HIGH"
},
"details": "The nsSOCKSSocketInfo::ConnectToProxy function in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not ensure thread safety for SSL sessions, which allows remote attackers to execute arbitrary code via crafted data, as demonstrated by e-mail message data.",
"id": "GHSA-x66h-pv23-hvpj",
"modified": "2022-05-13T01:24:15Z",
"published": "2022-05-13T01:24:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0764"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=804237"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16715"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00006.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00007.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00010.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00017.html"
},
{
"type": "WEB",
"url": "http://www.mozilla.org/security/announce/2013/mfsa2013-07.html"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1681-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1681-2"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1681-4"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.