CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
633 vulnerabilities reference this CWE, most recent first.
GHSA-26G8-GMR4-3JJH
Vulnerability from github – Published: 2022-07-15 00:00 – Updated: 2022-07-21 00:00IBM Security Verify Identity Manager 10.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 224919.
{
"affected": [],
"aliases": [
"CVE-2022-22453"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-14T18:15:00Z",
"severity": "HIGH"
},
"details": "IBM Security Verify Identity Manager 10.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 224919.",
"id": "GHSA-26g8-gmr4-3jjh",
"modified": "2022-07-21T00:00:35Z",
"published": "2022-07-15T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22453"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/224919"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6603405"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-27X2-2GH4-2GPV
Vulnerability from github – Published: 2025-08-28 15:30 – Updated: 2025-08-28 15:30Inadequate encryption strength issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). If this vulnerability is exploited, a function that requires authentication may be accessed by a remote unauthenticated attacker.
{
"affected": [],
"aliases": [
"CVE-2025-46409"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-28T09:15:31Z",
"severity": "HIGH"
},
"details": "Inadequate encryption strength issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). If this vulnerability is exploited, a function that requires authentication may be accessed by a remote unauthenticated attacker.",
"id": "GHSA-27x2-2gh4-2gpv",
"modified": "2025-08-28T15:30:39Z",
"published": "2025-08-28T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46409"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN99577552"
},
{
"type": "WEB",
"url": "https://www.dos-osaka.co.jp/news/2025/08/250827.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-283Q-3R3X-G3RC
Vulnerability from github – Published: 2022-03-09 00:00 – Updated: 2025-08-12 12:30A vulnerability has been identified in RUGGEDCOM ROS M2100 (All versions < V5.6.0), RUGGEDCOM ROS M2200 (All versions < V5.6.0), RUGGEDCOM ROS M969 (All versions < V5.6.0), RUGGEDCOM ROS RMC (All versions < V5.6.0), RUGGEDCOM ROS RMC20 (All versions < V5.6.0), RUGGEDCOM ROS RMC30 (All versions < V5.6.0), RUGGEDCOM ROS RMC40 (All versions < V5.6.0), RUGGEDCOM ROS RMC41 (All versions < V5.6.0), RUGGEDCOM ROS RMC8388 (All versions < V5.6.0), RUGGEDCOM ROS RP110 (All versions < V5.6.0), RUGGEDCOM ROS RS400 (All versions < V5.6.0), RUGGEDCOM ROS RS401 (All versions < V5.6.0), RUGGEDCOM ROS RS416 (All versions < V5.6.0), RUGGEDCOM ROS RS416v2 (All versions < V5.6.0), RUGGEDCOM ROS RS8000 (All versions < V5.6.0), RUGGEDCOM ROS RS8000A (All versions < V5.6.0), RUGGEDCOM ROS RS8000H (All versions < V5.6.0), RUGGEDCOM ROS RS8000T (All versions < V5.6.0), RUGGEDCOM ROS RS900 (32M) (All versions < V5.6.0), RUGGEDCOM ROS RS900G (All versions < V5.6.0), RUGGEDCOM ROS RS900G (32M) (All versions < V5.6.0), RUGGEDCOM ROS RS900GP (All versions < V5.6.0), RUGGEDCOM ROS RS900L (All versions < V5.6.0), RUGGEDCOM ROS RS900L (All versions < V5.6.0), RUGGEDCOM ROS RS900W (All versions < V5.6.0), RUGGEDCOM ROS RS910 (All versions < V5.6.0), RUGGEDCOM ROS RS910L (All versions < V5.6.0), RUGGEDCOM ROS RS910W (All versions < V5.6.0), RUGGEDCOM ROS RS920L (All versions < V5.6.0), RUGGEDCOM ROS RS920W (All versions < V5.6.0), RUGGEDCOM ROS RS930L (All versions < V5.6.0), RUGGEDCOM ROS RS930W (All versions < V5.6.0), RUGGEDCOM ROS RS940G (All versions < V5.6.0), RUGGEDCOM ROS RS969 (All versions < V5.6.0), RUGGEDCOM ROS RSG2100 (All versions < V5.6.0), RUGGEDCOM ROS RSG2100 (32M) (All versions < V5.6.0), RUGGEDCOM ROS RSG2100P (All versions < V5.6.0), RUGGEDCOM ROS RSG2100P (32M) (All versions < V5.6.0), RUGGEDCOM ROS RSG2200 (All versions < V5.6.0), RUGGEDCOM ROS RSG2288 (All versions < V5.6.0), RUGGEDCOM ROS RSG2300 (All versions < V5.6.0), RUGGEDCOM ROS RSG2300P (All versions < V5.6.0), RUGGEDCOM ROS RSG2488 (All versions < V5.6.0), RUGGEDCOM ROS RSG900 (All versions < V5.6.0), RUGGEDCOM ROS RSG900C (All versions < V5.6.0), RUGGEDCOM ROS RSG900G (All versions < V5.6.0), RUGGEDCOM ROS RSG900R (All versions < V5.6.0), RUGGEDCOM ROS RSG907R (All versions < V5.6.0), RUGGEDCOM ROS RSG908C (All versions < V5.6.0), RUGGEDCOM ROS RSG909R (All versions < V5.6.0), RUGGEDCOM ROS RSG910C (All versions < V5.6.0), RUGGEDCOM ROS RSG920P (All versions < V5.6.0), RUGGEDCOM ROS RSL910 (All versions < V5.6.0), RUGGEDCOM ROS RST2228 (All versions < V5.6.0), RUGGEDCOM ROS RST916C (All versions < V5.6.0), RUGGEDCOM ROS RST916P (All versions < V5.6.0), RUGGEDCOM ROS i800 (All versions < V5.6.0), RUGGEDCOM ROS i801 (All versions < V5.6.0), RUGGEDCOM ROS i802 (All versions < V5.6.0), RUGGEDCOM ROS i803 (All versions < V5.6.0). Unencrypted storage of passwords in the client configuration files and during network transmission could allow an attacker in a privileged position to obtain access passwords.
{
"affected": [],
"aliases": [
"CVE-2021-37209"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-08T12:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in RUGGEDCOM ROS M2100 (All versions \u003c V5.6.0), RUGGEDCOM ROS M2200 (All versions \u003c V5.6.0), RUGGEDCOM ROS M969 (All versions \u003c V5.6.0), RUGGEDCOM ROS RMC (All versions \u003c V5.6.0), RUGGEDCOM ROS RMC20 (All versions \u003c V5.6.0), RUGGEDCOM ROS RMC30 (All versions \u003c V5.6.0), RUGGEDCOM ROS RMC40 (All versions \u003c V5.6.0), RUGGEDCOM ROS RMC41 (All versions \u003c V5.6.0), RUGGEDCOM ROS RMC8388 (All versions \u003c V5.6.0), RUGGEDCOM ROS RP110 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS400 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS401 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS416 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS416v2 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS8000 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS8000A (All versions \u003c V5.6.0), RUGGEDCOM ROS RS8000H (All versions \u003c V5.6.0), RUGGEDCOM ROS RS8000T (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900 (32M) (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900G (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900G (32M) (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900GP (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900L (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900L (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900W (All versions \u003c V5.6.0), RUGGEDCOM ROS RS910 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS910L (All versions \u003c V5.6.0), RUGGEDCOM ROS RS910W (All versions \u003c V5.6.0), RUGGEDCOM ROS RS920L (All versions \u003c V5.6.0), RUGGEDCOM ROS RS920W (All versions \u003c V5.6.0), RUGGEDCOM ROS RS930L (All versions \u003c V5.6.0), RUGGEDCOM ROS RS930W (All versions \u003c V5.6.0), RUGGEDCOM ROS RS940G (All versions \u003c V5.6.0), RUGGEDCOM ROS RS969 (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2100 (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2100 (32M) (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2100P (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2100P (32M) (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2200 (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2288 (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2300 (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2300P (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2488 (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG900 (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG900C (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG900G (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG900R (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG907R (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG908C (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG909R (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG910C (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG920P (All versions \u003c V5.6.0), RUGGEDCOM ROS RSL910 (All versions \u003c V5.6.0), RUGGEDCOM ROS RST2228 (All versions \u003c V5.6.0), RUGGEDCOM ROS RST916C (All versions \u003c V5.6.0), RUGGEDCOM ROS RST916P (All versions \u003c V5.6.0), RUGGEDCOM ROS i800 (All versions \u003c V5.6.0), RUGGEDCOM ROS i801 (All versions \u003c V5.6.0), RUGGEDCOM ROS i802 (All versions \u003c V5.6.0), RUGGEDCOM ROS i803 (All versions \u003c V5.6.0). Unencrypted storage of passwords in the client configuration files and during\nnetwork transmission could allow an attacker in a privileged position to\nobtain access passwords.",
"id": "GHSA-283q-3r3x-g3rc",
"modified": "2025-08-12T12:30:31Z",
"published": "2022-03-09T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37209"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-764417.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-764417.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2CJ7-CJ42-3G7V
Vulnerability from github – Published: 2022-05-14 03:21 – Updated: 2022-05-14 03:21IBM Security Access Manager Appliance 8.0.0 through 8.0.1.6 and 9.0.0 through 9.0.3.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 128605.
{
"affected": [],
"aliases": [
"CVE-2017-1473"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-23T13:29:00Z",
"severity": "HIGH"
},
"details": "IBM Security Access Manager Appliance 8.0.0 through 8.0.1.6 and 9.0.0 through 9.0.3.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 128605.",
"id": "GHSA-2cj7-cj42-3g7v",
"modified": "2022-05-14T03:21:41Z",
"published": "2022-05-14T03:21:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1473"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/128605"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22012268"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2CM7-GRW6-W6X7
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. A custom encryption algorithm is used to store encrypted passwords. This algorithm will XOR the password with the hardcoded j7a(L#yZ98sSd5HfSgGjMj8;Ss;d)(&^#@$a2s0i3g value.
{
"affected": [],
"aliases": [
"CVE-2020-29063"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-24T21:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. A custom encryption algorithm is used to store encrypted passwords. This algorithm will XOR the password with the hardcoded *j7a(L#yZ98sSd5HfSgGjMj8;Ss;d)(*\u0026^#@$a2s0i3g value.",
"id": "GHSA-2cm7-grw6-w6x7",
"modified": "2022-05-24T17:34:55Z",
"published": "2022-05-24T17:34:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29063"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2CQ3-H4M9-XXXQ
Vulnerability from github – Published: 2022-05-17 00:13 – Updated: 2022-05-17 00:13IBM Security Guardium 9.0, 9.1, and 9.5 supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. IBM X-Force ID: 124746.
{
"affected": [],
"aliases": [
"CVE-2017-1271"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-07T15:29:00Z",
"severity": "HIGH"
},
"details": "IBM Security Guardium 9.0, 9.1, and 9.5 supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. IBM X-Force ID: 124746.",
"id": "GHSA-2cq3-h4m9-xxxq",
"modified": "2022-05-17T00:13:22Z",
"published": "2022-05-17T00:13:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1271"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/124746"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22010435"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102034"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039961"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2FCH-4J3W-44MF
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29cPanel before 88.0.3, upon an upgrade, establishes predictable PowerDNS API keys (SEC-561).
{
"affected": [],
"aliases": [
"CVE-2020-26107"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-25T06:15:00Z",
"severity": "HIGH"
},
"details": "cPanel before 88.0.3, upon an upgrade, establishes predictable PowerDNS API keys (SEC-561).",
"id": "GHSA-2fch-4j3w-44mf",
"modified": "2022-05-24T17:29:40Z",
"published": "2022-05-24T17:29:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26107"
},
{
"type": "WEB",
"url": "https://docs.cpanel.net/changelogs/88-change-log"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2G4C-JPHF-67P6
Vulnerability from github – Published: 2023-11-09 15:30 – Updated: 2023-11-17 15:30The leakage of channel access token in F.B.P members Line 13.6.1 allows remote attackers to send malicious notifications to victims.
{
"affected": [],
"aliases": [
"CVE-2023-47363"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-09T14:15:07Z",
"severity": "MODERATE"
},
"details": "The leakage of channel access token in F.B.P members Line 13.6.1 allows remote attackers to send malicious notifications to victims.",
"id": "GHSA-2g4c-jphf-67p6",
"modified": "2023-11-17T15:30:26Z",
"published": "2023-11-09T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47363"
},
{
"type": "WEB",
"url": "https://github.com/syz913/CVE-reports/blob/main/F.B.P%20members.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2G83-V4W9-J66C
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40An issue was discovered in certain Xerox WorkCentre products. They do not properly encrypt passwords. This affects 3655, 3655i, 58XX, 58XXi 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices.
{
"affected": [],
"aliases": [
"CVE-2020-36201"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-26T18:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in certain Xerox WorkCentre products. They do not properly encrypt passwords. This affects 3655, 3655i, 58XX, 58XXi 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices.",
"id": "GHSA-2g83-v4w9-j66c",
"modified": "2022-05-24T17:40:15Z",
"published": "2022-05-24T17:40:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36201"
},
{
"type": "WEB",
"url": "https://securitydocs.business.xerox.com/wp-content/uploads/2020/06/cert_Security_Mini_Bulletin_XRX20L_for_ConnectKey-1.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2G9R-9F99-V27G
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2023-01-20 18:30yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks.
{
"affected": [],
"aliases": [
"CVE-2020-12872"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-15T19:15:00Z",
"severity": "LOW"
},
"details": "yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks.",
"id": "GHSA-2g9r-9f99-v27g",
"modified": "2023-01-20T18:30:19Z",
"published": "2022-05-24T17:17:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12872"
},
{
"type": "WEB",
"url": "https://github.com/erlyaws/yaws/issues/402"
},
{
"type": "WEB",
"url": "https://github.com/erlyaws/yaws/blob/c0fd79f17d52628fcec527da7fa3e788c283c445/src/yaws_config.erl#L2068-L2075"
},
{
"type": "WEB",
"url": "https://github.com/erlyaws/yaws/releases"
},
{
"type": "WEB",
"url": "https://medium.com/@charlielabs101/cve-2020-12872-df315411aa70"
},
{
"type": "WEB",
"url": "https://sweet32.info"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.