CWE-326
Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CVE-2025-22446 (GCVE-0-2025-22446)
Vulnerability from cvelistv5 – Published: 2025-05-13 21:02 – Updated: 2026-02-26 18:28
VLAI
Summary
Inadequate encryption strength for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via adjacent access.
Severity
4.6 (Medium)
CWE
- Escalation of Privilege
- CWE-326 - Inadequate Encryption Strength
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Edge Orchestrator software for Intel(R) Tiber™ Edge Platform |
Affected:
See references
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22446",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T04:01:57.996624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T18:28:14.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Edge Orchestrator software for Intel(R) Tiber\u2122 Edge Platform",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "See references"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Inadequate encryption strength for some Edge Orchestrator software for Intel(R) Tiber\u2122 Edge Platform may allow an authenticated user to potentially enable escalation of privilege via adjacent access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Escalation of Privilege",
"lang": "en"
},
{
"cweId": "CWE-326",
"description": "Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T21:02:36.588Z",
"orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"shortName": "intel"
},
"references": [
{
"name": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01239.html",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01239.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"assignerShortName": "intel",
"cveId": "CVE-2025-22446",
"datePublished": "2025-05-13T21:02:36.588Z",
"dateReserved": "2025-01-09T04:00:22.754Z",
"dateUpdated": "2026-02-26T18:28:14.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-2349 (GCVE-0-2025-2349)
Vulnerability from cvelistv5 – Published: 2025-03-16 21:31 – Updated: 2025-03-17 16:45
VLAI
Title
IROAD Dash Cam FX2 Password Hash passwd weak password hash
Summary
A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /etc/passwd of the component Password Hash Handler. The manipulation leads to password hash with insufficient computational effort. Access to the local network is required for this attack. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
Severity
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.299815 | vdb-entry |
| https://vuldb.com/?ctiid.299815 | signaturepermissions-required |
| https://github.com/geo-chen/IROAD?tab=readme-ov-f… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IROAD | Dash Cam FX2 |
Affected:
20250308
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T16:45:09.244525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T16:45:26.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Password Hash Handler"
],
"product": "Dash Cam FX2",
"vendor": "IROAD",
"versions": [
{
"status": "affected",
"version": "20250308"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /etc/passwd of the component Password Hash Handler. The manipulation leads to password hash with insufficient computational effort. Access to the local network is required for this attack. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "In IROAD Dash Cam FX2 bis 20250308 wurde eine problematische Schwachstelle ausgemacht. Es geht um eine nicht n\u00e4her bekannte Funktion der Datei /etc/passwd der Komponente Password Hash Handler. Durch Beeinflussen mit unbekannten Daten kann eine password hash with insufficient computational effort-Schwachstelle ausgenutzt werden. Der Angriff kann im lokalen Netzwerk erfolgen. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.8,
"vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-916",
"description": "Password Hash With Insufficient Computational Effort",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-16T21:31:04.302Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-299815 | IROAD Dash Cam FX2 Password Hash passwd weak password hash",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.299815"
},
{
"name": "VDB-299815 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.299815"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/geo-chen/IROAD?tab=readme-ov-file#finding-9-exposed-root-password"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-03-15T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-03-15T19:27:58.000Z",
"value": "VulDB entry last update"
}
],
"title": "IROAD Dash Cam FX2 Password Hash passwd weak password hash"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-2349",
"datePublished": "2025-03-16T21:31:04.302Z",
"dateReserved": "2025-03-15T18:22:39.015Z",
"dateUpdated": "2025-03-17T16:45:26.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2516 (GCVE-0-2025-2516)
Vulnerability from cvelistv5 – Published: 2025-03-27 14:29 – Updated: 2025-03-27 15:15
VLAI
Title
Use of a weak cryptographic key in the signature verification process in WPS Office
Summary
The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components.
As older versions of WPS Office did not validate the update server's certificate, an Adversary-In-The-Middle attack was possible allowing updates to be hijacked.
Severity
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Kingsoft | WPS Office |
Unknown:
12.1.0.18276
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2516",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T15:15:47.648387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T15:15:56.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.wps.com/",
"defaultStatus": "unknown",
"platforms": [
"Windows"
],
"product": "WPS Office",
"vendor": "Kingsoft",
"versions": [
{
"status": "unknown",
"version": "12.1.0.18276",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components.\u003c/div\u003e\u003cdiv\u003eAs older versions of WPS Office did not validate the update server\u0027s certificate, an Adversary-In-The-Middle attack was possible allowing updates to be hijacked.\u003c/div\u003e"
}
],
"value": "The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components.\n\nAs older versions of WPS Office did not validate the update server\u0027s certificate, an Adversary-In-The-Middle attack was possible allowing updates to be hijacked."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability was also found by a threat actor who weaponized it.\u003cbr\u003e"
}
],
"value": "This vulnerability was also found by a threat actor who weaponized it."
}
],
"impacts": [
{
"capecId": "CAPEC-20",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-20 Encryption Brute Forcing"
}
]
},
{
"capecId": "CAPEC-187",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-187 Malicious Automated Software Update via Redirection"
}
]
},
{
"capecId": "CAPEC-485",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-485 Signature Spoofing by Key Recreation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:29:22.907Z",
"orgId": "4a9b9929-2450-4021-b7b9-469a0255b215",
"shortName": "ESET"
},
"references": [
{
"url": "https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Use of a weak cryptographic key in the signature verification process in WPS Office",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4a9b9929-2450-4021-b7b9-469a0255b215",
"assignerShortName": "ESET",
"cveId": "CVE-2025-2516",
"datePublished": "2025-03-27T14:29:22.907Z",
"dateReserved": "2025-03-19T07:49:48.800Z",
"dateUpdated": "2025-03-27T15:15:56.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27524 (GCVE-0-2025-27524)
Vulnerability from cvelistv5 – Published: 2025-05-15 06:27 – Updated: 2025-05-15 14:09
VLAI
Title
Weak encryption vulnerability in JP1/IT Desktop Management 2 - Smart Device Manager
Summary
Weak encryption vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06.
Severity
5.3 (Medium)
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.hitachi.com/products/it/software/secu… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi | JP1/IT Desktop Management 2 - Smart Device Manager |
Affected:
12-00 , < 12-00-08
(custom)
Affected: 11-10 , ≤ 11-10-08 (custom) Affected: 11-00 , ≤ 11-00-05 (custom) Affected: 10-50 , ≤ 10-50-06 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27524",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T14:09:18.489783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T14:09:59.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "JP1/IT Desktop Management 2 - Smart Device Manager",
"vendor": "Hitachi",
"versions": [
{
"changes": [
{
"at": "12-00-08",
"status": "unaffected"
}
],
"lessThan": "12-00-08",
"status": "affected",
"version": "12-00",
"versionType": "custom"
},
{
"lessThanOrEqual": "11-10-08",
"status": "affected",
"version": "11-10",
"versionType": "custom"
},
{
"lessThanOrEqual": "11-00-05",
"status": "affected",
"version": "11-00",
"versionType": "custom"
},
{
"lessThanOrEqual": "10-50-06",
"status": "affected",
"version": "10-50",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Weak encryption vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.\u003cp\u003eThis issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06.\u003c/p\u003e"
}
],
"value": "Weak encryption vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06."
}
],
"impacts": [
{
"capecId": "CAPEC-192",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-192 Protocol Analysis"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T06:27:32.686Z",
"orgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
"shortName": "Hitachi"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-115/index.html"
}
],
"source": {
"advisory": "hitachi-sec-2025-115",
"discovery": "UNKNOWN"
},
"title": "Weak encryption vulnerability in JP1/IT Desktop Management 2 - Smart Device Manager",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
"assignerShortName": "Hitachi",
"cveId": "CVE-2025-27524",
"datePublished": "2025-05-15T06:27:32.686Z",
"dateReserved": "2025-02-27T06:49:23.056Z",
"dateUpdated": "2025-05-15T14:09:59.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36106 (GCVE-0-2025-36106)
Vulnerability from cvelistv5 – Published: 2025-07-21 18:08 – Updated: 2025-08-18 01:32
VLAI
Title
IBM Cognos Analytics Mobile (iOS) information disclosure
Summary
IBM Cognos Analytics Mobile (iOS) 1.1.0 through 1.1.22 could allow malicious actors to view and modify information coming to and from the application which could then be used to access confidential information on the device or network by using a the deprecated or misconfigured AFNetworking library at runtime.
Severity
6.5 (Medium)
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7239635 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Cognos Analytics Mobile |
Affected:
1.1.0 , ≤ 1.1.22
(semver)
cpe:2.3:a:ibm:cognos_analytics_mobile:1.1.0:*:*:*:*:ios:*:* cpe:2.3:a:ibm:cognos_analytics_mobile:1.1.22:*:*:*:*:ios:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36106",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-21T18:41:45.044508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T18:43:15.502Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cognos_analytics_mobile:1.1.0:*:*:*:*:ios:*:*",
"cpe:2.3:a:ibm:cognos_analytics_mobile:1.1.22:*:*:*:*:ios:*:*"
],
"defaultStatus": "unaffected",
"platforms": [
"iOS"
],
"product": "Cognos Analytics Mobile",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.1.22",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Analytics Mobile (iOS) 1.1.0 through 1.1.22 could allow malicious actors to view and modify information coming to and from the application which could then be used to access confidential information on the device or network by using a the deprecated or misconfigured AFNetworking library at runtime."
}
],
"value": "IBM Cognos Analytics Mobile (iOS) 1.1.0 through 1.1.22 could allow malicious actors to view and modify information coming to and from the application which could then be used to access confidential information on the device or network by using a the deprecated or misconfigured AFNetworking library at runtime."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T01:32:49.740Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7239635"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM encourages customers to update their devices promptly.\u003cbr\u003e\u003cbr\u003eIBM Cognos Analytics Mobile (iOS) 1.1.0 - 1.1.22 IBM Cognos Analytics Mobile (iOS) 1.1.23\u003cbr\u003e"
}
],
"value": "IBM encourages customers to update their devices promptly.\n\nIBM Cognos Analytics Mobile (iOS) 1.1.0 - 1.1.22 IBM Cognos Analytics Mobile (iOS) 1.1.23"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Analytics Mobile (iOS) information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36106",
"datePublished": "2025-07-21T18:08:09.988Z",
"dateReserved": "2025-04-15T21:16:16.298Z",
"dateUpdated": "2025-08-18T01:32:49.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36379 (GCVE-0-2025-36379)
Vulnerability from cvelistv5 – Published: 2026-02-17 20:30 – Updated: 2026-02-18 14:49
VLAI
Title
IBM Security QRadar EDR Software has multiple vulnerabilities
Summary
IBM Security QRadar EDR 3.12 through 3.12.23 IBM Security ReaQta uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
Severity
5.9 (Medium)
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7260390 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Security QRadar EDR |
Affected:
3.12 , ≤ 3.12.23
(semver)
cpe:2.3:a:ibm:security_qradar_edr:3.12:*:*:*:*:*:*:* cpe:2.3:a:ibm:security_qradar_edr:3.12.23:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T14:49:09.562264Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T14:49:16.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:security_qradar_edr:3.12:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:security_qradar_edr:3.12.23:*:*:*:*:*:*:*"
],
"product": "Security QRadar EDR",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "3.12.23",
"status": "affected",
"version": "3.12",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Security QRadar EDR 3.12 through 3.12.23 IBM Security ReaQta uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.\u003c/p\u003e"
}
],
"value": "IBM Security QRadar EDR 3.12 through 3.12.23 IBM Security ReaQta uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T20:30:29.415Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7260390"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM encourages customers to update their systems promptly. Product Fix version IBM Security QRadar EDR 3.12.24 The IBM Security QRadar EDR operator can be upgraded automatically when new compatible versions are available. However, you can control whether an operator is upgraded automatically by setting an approval strategy. Two approval strategies are available: Automatic (default) - New operator versions are installed automatically when they are available on the subscription channel. Manual - When a new operator version is available on the subscription channel, the subscription indicates that an update is available, but you must approve the update manually. For more information about the manual installation process, view Installing QRadar EDR\u003c/p\u003e"
}
],
"value": "IBM encourages customers to update their systems promptly. Product Fix version IBM Security QRadar EDR 3.12.24 The IBM Security QRadar EDR operator can be upgraded automatically when new compatible versions are available. However, you can control whether an operator is upgraded automatically by setting an approval strategy. Two approval strategies are available: Automatic (default) - New operator versions are installed automatically when they are available on the subscription channel. Manual - When a new operator version is available on the subscription channel, the subscription indicates that an update is available, but you must approve the update manually. For more information about the manual installation process, view Installing QRadar EDR"
}
],
"title": "IBM Security QRadar EDR Software has multiple vulnerabilities",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36379",
"datePublished": "2026-02-17T20:30:29.415Z",
"dateReserved": "2025-04-15T21:16:56.325Z",
"dateUpdated": "2026-02-18T14:49:16.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41743 (GCVE-0-2025-41743)
Vulnerability from cvelistv5 – Published: 2025-12-02 10:38 – Updated: 2025-12-02 16:54
VLAI
Title
Sprecher Automation: SPRECON-E series prone to weak encryption of update files
Summary
Insufficient encryption strength in Sprecher Automation SPRECON-E-C, SPRECON-E-P, and SPRECON-E-T3 allows a local unprivileged attacker to extract data from update images and thus obtain limited information about the architecture and internal processes.
Severity
4 (Medium)
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.sprecher-automation.com/fileadmin/itS… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Sprecher Automation | SPRECON-E-C |
Affected:
1.0 , < 9.0
(custom)
|
|
| Sprecher Automation | SPRECON-E-P |
Affected:
1.0 , < 9.0
(custom)
|
|
| Sprecher Automation | SPRECON-E-T3 |
Affected:
1.0 , < 9.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T16:50:29.885950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T16:54:38.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SPRECON-E-C",
"vendor": "Sprecher Automation",
"versions": [
{
"lessThan": "9.0",
"status": "affected",
"version": "1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "SPRECON-E-P",
"vendor": "Sprecher Automation",
"versions": [
{
"lessThan": "9.0",
"status": "affected",
"version": "1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "SPRECON-E-T3",
"vendor": "Sprecher Automation",
"versions": [
{
"lessThan": "9.0",
"status": "affected",
"version": "1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Sec-Consult Security Labs"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient encryption strength in Sprecher Automation SPRECON-E-C, SPRECON-E-P, and SPRECON-E-T3 allows a local unprivileged attacker to extract data from update images and thus obtain limited information about the architecture and internal processes."
}
],
"value": "Insufficient encryption strength in Sprecher Automation SPRECON-E-C, SPRECON-E-P, and SPRECON-E-T3 allows a local unprivileged attacker to extract data from update images and thus obtain limited information about the architecture and internal processes."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T10:38:51.692Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf"
}
],
"source": {
"defect": [
"CERT@VDE#641892"
],
"discovery": "UNKNOWN"
},
"title": "Sprecher Automation: SPRECON-E series prone to weak encryption of update files",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41743",
"datePublished": "2025-12-02T10:38:51.692Z",
"dateReserved": "2025-04-16T11:17:48.321Z",
"dateUpdated": "2025-12-02T16:54:38.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-45764 (GCVE-0-2025-45764)
Vulnerability from cvelistv5 – Published: 2025-08-06 00:00 – Updated: 2025-08-26 18:51 Disputed
VLAI
Summary
jsrsasign v11.1.0 was discovered to contain weak encryption. NOTE: this issue has been disputed by a third party who believes that CVE IDs can be assigned for key lengths in specific applications that use a library, and should not be assigned to the default key lengths in a library. This dispute is subject to review under CNA rules 4.1.4, 4.1.14, and other rules; the dispute tagging is not meant to recommend an outcome for this CVE Record.
Severity
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jsrsasign project | jsrsasign |
Affected:
11.1.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-45764",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T19:40:39.638189Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T18:51:17.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "jsrsasign",
"vendor": "jsrsasign project",
"versions": [
{
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:*:*:*",
"versionEndIncluding": "11.1.0",
"versionStartIncluding": "11.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jsrsasign v11.1.0 was discovered to contain weak encryption. NOTE: this issue has been disputed by a third party who believes that CVE IDs can be assigned for key lengths in specific applications that use a library, and should not be assigned to the default key lengths in a library. This dispute is subject to review under CNA rules 4.1.4, 4.1.14, and other rules; the dispute tagging is not meant to recommend an outcome for this CVE Record."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.2,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-07T04:15:54.319Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://gist.github.com/ZupeiNie/2250cf1758771d56272dc326ce066202"
},
{
"url": "https://github.com/kjur/jsrsasign/issues/634"
}
],
"tags": [
"disputed"
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-45764",
"datePublished": "2025-08-06T00:00:00.000Z",
"dateReserved": "2025-04-22T00:00:00.000Z",
"dateUpdated": "2025-08-26T18:51:17.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46409 (GCVE-0-2025-46409)
Vulnerability from cvelistv5 – Published: 2025-08-28 08:27 – Updated: 2025-08-28 14:17
VLAI
Summary
Inadequate encryption strength issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). If this vulnerability is exploited, a function that requires authentication may be accessed by a remote unauthenticated attacker.
Severity
CWE
- CWE-326 - Inadequate encryption strength
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| DOS Co., Ltd. | SS1 |
Affected:
Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-28T14:17:37.556191Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:17:54.161Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SS1",
"vendor": "DOS Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Inadequate encryption strength issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). If this vulnerability is exploited, a function that requires authentication may be accessed by a remote unauthenticated attacker."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "Inadequate encryption strength",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T08:27:44.793Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.dos-osaka.co.jp/news/2025/08/250827.html"
},
{
"url": "https://jvn.jp/en/jp/JVN99577552/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-46409",
"datePublished": "2025-08-28T08:27:44.793Z",
"dateReserved": "2025-08-25T06:42:30.553Z",
"dateUpdated": "2025-08-28T14:17:54.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46833 (GCVE-0-2025-46833)
Vulnerability from cvelistv5 – Published: 2025-05-08 19:27 – Updated: 2025-05-08 19:49
VLAI
Title
Programs/P73_SimplePythonEncryption.py has weak cryptographic key
Summary
Programs/P73_SimplePythonEncryption.py illustrates a simple Python encryption example using the RSA Algorithm. In versions prior to commit 6ce60b1, an attacker may be able to decrypt the data using brute force attacks and because of this the whole application can be impacted. This issue has been patched in commit 6ce60b1. A workaround involves increasing the key size, for RSA or DSA this is at least 2048 bits, for ECC this is at least 256 bits.
Severity
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/ShashikantSingh09/python-progr… | x_refsource_CONFIRM |
| https://github.com/ShashikantSingh09/python-progr… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ShashikantSingh09 | python-progrrames |
Affected:
< 6ce60b1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46833",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T19:47:53.139736Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T19:49:41.318Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "python-progrrames",
"vendor": "ShashikantSingh09",
"versions": [
{
"status": "affected",
"version": "\u003c 6ce60b1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Programs/P73_SimplePythonEncryption.py illustrates a simple Python encryption example using the RSA Algorithm. In versions prior to commit 6ce60b1, an attacker may be able to decrypt the data using brute force attacks and because of this the whole application can be impacted. This issue has been patched in commit 6ce60b1. A workaround involves increasing the key size, for RSA or DSA this is at least 2048 bits, for ECC this is at least 256 bits."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326: Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T19:27:33.330Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ShashikantSingh09/python-progrrames/security/advisories/GHSA-5h26-2c6g-4ch4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ShashikantSingh09/python-progrrames/security/advisories/GHSA-5h26-2c6g-4ch4"
},
{
"name": "https://github.com/ShashikantSingh09/python-progrrames/commit/6ce60b1b2116a579a2e89de96d738a98f6ad4f27",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ShashikantSingh09/python-progrrames/commit/6ce60b1b2116a579a2e89de96d738a98f6ad4f27"
}
],
"source": {
"advisory": "GHSA-5h26-2c6g-4ch4",
"discovery": "UNKNOWN"
},
"title": "Programs/P73_SimplePythonEncryption.py has weak cryptographic key"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46833",
"datePublished": "2025-05-08T19:27:33.330Z",
"dateReserved": "2025-04-30T19:41:58.135Z",
"dateUpdated": "2025-05-08T19:49:41.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.