CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
631 vulnerabilities reference this CWE, most recent first.
GHSA-XFM3-5PRM-P3XQ
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:24IBM Rational Engineering Lifecycle Manager 6.0 through 6.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 143798.
{
"affected": [],
"aliases": [
"CVE-2018-1608"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-01T16:29:00Z",
"severity": "HIGH"
},
"details": "IBM Rational Engineering Lifecycle Manager 6.0 through 6.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 143798.",
"id": "GHSA-xfm3-5prm-p3xq",
"modified": "2024-04-04T00:24:37Z",
"published": "2022-05-24T16:45:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1608"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/143798"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10882778"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108290"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XFXC-48QF-J4G6
Vulnerability from github – Published: 2023-12-05 00:31 – Updated: 2023-12-08 18:30Weak encryption mechanisms in RFID Tags in Yale Conexis L1 v1.1.0 allows attackers to create a cloned tag via physical proximity to the original.
{
"affected": [],
"aliases": [
"CVE-2023-26941"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-05T00:15:08Z",
"severity": "MODERATE"
},
"details": "Weak encryption mechanisms in RFID Tags in Yale Conexis L1 v1.1.0 allows attackers to create a cloned tag via physical proximity to the original.",
"id": "GHSA-xfxc-48qf-j4g6",
"modified": "2023-12-08T18:30:41Z",
"published": "2023-12-05T00:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26941"
},
{
"type": "WEB",
"url": "https://arxiv.org/abs/2312.00021"
},
{
"type": "WEB",
"url": "https://www.researchgate.net/publication/375759408_Technical_Report_-_CVE-2022-46480_CVE-2023-26941_CVE-2023-26942_and_CVE-2023-26943#fullTextFileContent"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XG5W-J24M-8379
Vulnerability from github – Published: 2023-01-06 00:30 – Updated: 2023-01-12 18:30DES cipher, which has inadequate encryption strength, is used Hitachi Energy FOXMAN-UN to encrypt user credentials used to access the Network Elements. Successful exploitation allows sensitive information to be decrypted easily. This issue affects * FOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R16A::::::: * cpe:2.3:a:hitachienergy:foxman-un:R15B::::::: * cpe:2.3:a:hitachienergy:foxman-un:R15A::::::: * cpe:2.3:a:hitachienergy:foxman-un:R14B::::::: * cpe:2.3:a:hitachienergy:foxman-un:R14A::::::: * cpe:2.3:a:hitachienergy:foxman-un:R11B::::::: * cpe:2.3:a:hitachienergy:foxman-un:R11A::::::: * cpe:2.3:a:hitachienergy:foxman-un:R10C::::::: * cpe:2.3:a:hitachienergy:foxman-un:R9C::::::: * cpe:2.3:a:hitachienergy:unem:R16A::::::: * cpe:2.3:a:hitachienergy:unem:R15B::::::: * cpe:2.3:a:hitachienergy:unem:R15A::::::: * cpe:2.3:a:hitachienergy:unem:R14B::::::: * cpe:2.3:a:hitachienergy:unem:R14A::::::: * cpe:2.3:a:hitachienergy:unem:R11B::::::: * cpe:2.3:a:hitachienergy:unem:R11A::::::: * cpe:2.3:a:hitachienergy:unem:R10C::::::: * cpe:2.3:a:hitachienergy:unem:R9C:::::::
{
"affected": [],
"aliases": [
"CVE-2021-40341"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-05T22:15:00Z",
"severity": "MODERATE"
},
"details": "DES cipher, which has inadequate encryption strength, is used Hitachi Energy FOXMAN-UN to encrypt user credentials used to access the Network Elements. Successful exploitation allows sensitive information to be decrypted easily. This issue affects * FOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*",
"id": "GHSA-xg5w-j24m-8379",
"modified": "2023-01-12T18:30:29Z",
"published": "2023-01-06T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40341"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000083\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000084\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XJ59-9QJV-FR54
Vulnerability from github – Published: 2022-05-01 02:31 – Updated: 2025-04-12 13:05SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.
{
"affected": [],
"aliases": [
"CVE-2005-4900"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-10-14T16:59:00Z",
"severity": "MODERATE"
},
"details": "SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.",
"id": "GHSA-xj59-9qjv-fr54",
"modified": "2025-04-12T13:05:40Z",
"published": "2022-05-01T02:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-4900"
},
{
"type": "WEB",
"url": "https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10340"
},
{
"type": "WEB",
"url": "https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html"
},
{
"type": "WEB",
"url": "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html"
},
{
"type": "WEB",
"url": "https://sites.google.com/site/itstheshappening"
},
{
"type": "WEB",
"url": "https://www.schneier.com/blog/archives/2005/02/sha1_broken.html"
},
{
"type": "WEB",
"url": "https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html"
},
{
"type": "WEB",
"url": "http://ia.cr/2007/474"
},
{
"type": "WEB",
"url": "http://shattered.io"
},
{
"type": "WEB",
"url": "http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/12577"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XM5H-PCCR-WQ9G
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10In SapphireIMS 4097_1, the password in the database is stored in Base64 format.
{
"affected": [],
"aliases": [
"CVE-2017-16632"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-11T21:15:00Z",
"severity": "HIGH"
},
"details": "In SapphireIMS 4097_1, the password in the database is stored in Base64 format.",
"id": "GHSA-xm5h-pccr-wq9g",
"modified": "2022-05-24T19:10:39Z",
"published": "2022-05-24T19:10:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16632"
},
{
"type": "WEB",
"url": "https://vuln.shellcoder.party/2020/07/18/cve-2017-16632-sapphireims-insecure-storage-of-password"
},
{
"type": "WEB",
"url": "https://vuln.shellcoder.party/tags/sapphireims"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XM9V-FG48-44V7
Vulnerability from github – Published: 2024-06-15 00:31 – Updated: 2024-07-03 18:45HCL DRYiCE Optibot Reset Station is impacted by a missing Strict Transport Security Header. This could allow an attacker to intercept or manipulate data during redirection.
{
"affected": [],
"aliases": [
"CVE-2024-30119"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-14T22:15:10Z",
"severity": "LOW"
},
"details": "HCL DRYiCE Optibot Reset Station\u00a0is impacted by a missing Strict Transport Security Header. \u00a0This could allow an attacker to intercept or manipulate data during redirection.",
"id": "GHSA-xm9v-fg48-44v7",
"modified": "2024-07-03T18:45:28Z",
"published": "2024-06-15T00:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30119"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0113496"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XPPM-X368-2QJM
Vulnerability from github – Published: 2022-10-06 18:52 – Updated: 2022-10-07 18:15In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.
{
"affected": [],
"aliases": [
"CVE-2022-2781"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-06T18:15:00Z",
"severity": "MODERATE"
},
"details": "In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.",
"id": "GHSA-xppm-x368-2qjm",
"modified": "2022-10-07T18:15:43Z",
"published": "2022-10-06T18:52:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2781"
},
{
"type": "WEB",
"url": "https://advisories.octopus.com/post/2022/sa2022-16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XVW6-GW98-7W9W
Vulnerability from github – Published: 2023-11-09 15:30 – Updated: 2023-11-17 15:30The leakage of channel access token in Lil.OFF-PRICE STORE Line 13.6.1 allows remote attackers to send malicious notifications to victims.
{
"affected": [],
"aliases": [
"CVE-2023-47365"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-09T14:15:08Z",
"severity": "MODERATE"
},
"details": "The leakage of channel access token in Lil.OFF-PRICE STORE Line 13.6.1 allows remote attackers to send malicious notifications to victims.",
"id": "GHSA-xvw6-gw98-7w9w",
"modified": "2023-11-17T15:30:26Z",
"published": "2023-11-09T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47365"
},
{
"type": "WEB",
"url": "https://github.com/syz913/CVE-reports/blob/main/Lil.OFF-PRICE%20STORE.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XWPW-54M2-P853
Vulnerability from github – Published: 2021-12-26 00:00 – Updated: 2023-08-08 15:31In NetBSD through 9.2, the IPv6 fragment ID generation algorithm employs a weak cryptographic PRNG.
{
"affected": [],
"aliases": [
"CVE-2021-45484"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-25T02:15:00Z",
"severity": "HIGH"
},
"details": "In NetBSD through 9.2, the IPv6 fragment ID generation algorithm employs a weak cryptographic PRNG.",
"id": "GHSA-xwpw-54m2-p853",
"modified": "2023-08-08T15:31:27Z",
"published": "2021-12-26T00:00:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45484"
},
{
"type": "WEB",
"url": "https://arxiv.org/pdf/2112.09604.pdf"
},
{
"type": "WEB",
"url": "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2021-001.txt.asc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XX34-QQ6X-QVV2
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2022-12-09 21:30IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158880.
{
"affected": [],
"aliases": [
"CVE-2019-4175"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-17T19:15:00Z",
"severity": "HIGH"
},
"details": "IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158880.",
"id": "GHSA-xx34-qq6x-qvv2",
"modified": "2022-12-09T21:30:52Z",
"published": "2022-05-24T16:56:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4175"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158880"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/security-bulletin-security-vulnerabilties-exist-ibm-cognos-controller"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.