Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

633 vulnerabilities reference this CWE, most recent first.

GHSA-26G8-GMR4-3JJH

Vulnerability from github – Published: 2022-07-15 00:00 – Updated: 2022-07-21 00:00
VLAI
Details

IBM Security Verify Identity Manager 10.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 224919.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22453"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-14T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Verify Identity Manager 10.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 224919.",
  "id": "GHSA-26g8-gmr4-3jjh",
  "modified": "2022-07-21T00:00:35Z",
  "published": "2022-07-15T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22453"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/224919"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6603405"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-27X2-2GH4-2GPV

Vulnerability from github – Published: 2025-08-28 15:30 – Updated: 2025-08-28 15:30
VLAI
Details

Inadequate encryption strength issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). If this vulnerability is exploited, a function that requires authentication may be accessed by a remote unauthenticated attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46409"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-28T09:15:31Z",
    "severity": "HIGH"
  },
  "details": "Inadequate encryption strength issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). If this vulnerability is exploited, a function that requires authentication may be accessed by a remote unauthenticated attacker.",
  "id": "GHSA-27x2-2gh4-2gpv",
  "modified": "2025-08-28T15:30:39Z",
  "published": "2025-08-28T15:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46409"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN99577552"
    },
    {
      "type": "WEB",
      "url": "https://www.dos-osaka.co.jp/news/2025/08/250827.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-283Q-3R3X-G3RC

Vulnerability from github – Published: 2022-03-09 00:00 – Updated: 2025-08-12 12:30
VLAI
Details

A vulnerability has been identified in RUGGEDCOM ROS M2100 (All versions < V5.6.0), RUGGEDCOM ROS M2200 (All versions < V5.6.0), RUGGEDCOM ROS M969 (All versions < V5.6.0), RUGGEDCOM ROS RMC (All versions < V5.6.0), RUGGEDCOM ROS RMC20 (All versions < V5.6.0), RUGGEDCOM ROS RMC30 (All versions < V5.6.0), RUGGEDCOM ROS RMC40 (All versions < V5.6.0), RUGGEDCOM ROS RMC41 (All versions < V5.6.0), RUGGEDCOM ROS RMC8388 (All versions < V5.6.0), RUGGEDCOM ROS RP110 (All versions < V5.6.0), RUGGEDCOM ROS RS400 (All versions < V5.6.0), RUGGEDCOM ROS RS401 (All versions < V5.6.0), RUGGEDCOM ROS RS416 (All versions < V5.6.0), RUGGEDCOM ROS RS416v2 (All versions < V5.6.0), RUGGEDCOM ROS RS8000 (All versions < V5.6.0), RUGGEDCOM ROS RS8000A (All versions < V5.6.0), RUGGEDCOM ROS RS8000H (All versions < V5.6.0), RUGGEDCOM ROS RS8000T (All versions < V5.6.0), RUGGEDCOM ROS RS900 (32M) (All versions < V5.6.0), RUGGEDCOM ROS RS900G (All versions < V5.6.0), RUGGEDCOM ROS RS900G (32M) (All versions < V5.6.0), RUGGEDCOM ROS RS900GP (All versions < V5.6.0), RUGGEDCOM ROS RS900L (All versions < V5.6.0), RUGGEDCOM ROS RS900L (All versions < V5.6.0), RUGGEDCOM ROS RS900W (All versions < V5.6.0), RUGGEDCOM ROS RS910 (All versions < V5.6.0), RUGGEDCOM ROS RS910L (All versions < V5.6.0), RUGGEDCOM ROS RS910W (All versions < V5.6.0), RUGGEDCOM ROS RS920L (All versions < V5.6.0), RUGGEDCOM ROS RS920W (All versions < V5.6.0), RUGGEDCOM ROS RS930L (All versions < V5.6.0), RUGGEDCOM ROS RS930W (All versions < V5.6.0), RUGGEDCOM ROS RS940G (All versions < V5.6.0), RUGGEDCOM ROS RS969 (All versions < V5.6.0), RUGGEDCOM ROS RSG2100 (All versions < V5.6.0), RUGGEDCOM ROS RSG2100 (32M) (All versions < V5.6.0), RUGGEDCOM ROS RSG2100P (All versions < V5.6.0), RUGGEDCOM ROS RSG2100P (32M) (All versions < V5.6.0), RUGGEDCOM ROS RSG2200 (All versions < V5.6.0), RUGGEDCOM ROS RSG2288 (All versions < V5.6.0), RUGGEDCOM ROS RSG2300 (All versions < V5.6.0), RUGGEDCOM ROS RSG2300P (All versions < V5.6.0), RUGGEDCOM ROS RSG2488 (All versions < V5.6.0), RUGGEDCOM ROS RSG900 (All versions < V5.6.0), RUGGEDCOM ROS RSG900C (All versions < V5.6.0), RUGGEDCOM ROS RSG900G (All versions < V5.6.0), RUGGEDCOM ROS RSG900R (All versions < V5.6.0), RUGGEDCOM ROS RSG907R (All versions < V5.6.0), RUGGEDCOM ROS RSG908C (All versions < V5.6.0), RUGGEDCOM ROS RSG909R (All versions < V5.6.0), RUGGEDCOM ROS RSG910C (All versions < V5.6.0), RUGGEDCOM ROS RSG920P (All versions < V5.6.0), RUGGEDCOM ROS RSL910 (All versions < V5.6.0), RUGGEDCOM ROS RST2228 (All versions < V5.6.0), RUGGEDCOM ROS RST916C (All versions < V5.6.0), RUGGEDCOM ROS RST916P (All versions < V5.6.0), RUGGEDCOM ROS i800 (All versions < V5.6.0), RUGGEDCOM ROS i801 (All versions < V5.6.0), RUGGEDCOM ROS i802 (All versions < V5.6.0), RUGGEDCOM ROS i803 (All versions < V5.6.0). Unencrypted storage of passwords in the client configuration files and during network transmission could allow an attacker in a privileged position to obtain access passwords.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-08T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in RUGGEDCOM ROS M2100 (All versions \u003c V5.6.0), RUGGEDCOM ROS M2200 (All versions \u003c V5.6.0), RUGGEDCOM ROS M969 (All versions \u003c V5.6.0), RUGGEDCOM ROS RMC (All versions \u003c V5.6.0), RUGGEDCOM ROS RMC20 (All versions \u003c V5.6.0), RUGGEDCOM ROS RMC30 (All versions \u003c V5.6.0), RUGGEDCOM ROS RMC40 (All versions \u003c V5.6.0), RUGGEDCOM ROS RMC41 (All versions \u003c V5.6.0), RUGGEDCOM ROS RMC8388 (All versions \u003c V5.6.0), RUGGEDCOM ROS RP110 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS400 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS401 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS416 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS416v2 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS8000 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS8000A (All versions \u003c V5.6.0), RUGGEDCOM ROS RS8000H (All versions \u003c V5.6.0), RUGGEDCOM ROS RS8000T (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900 (32M) (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900G (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900G (32M) (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900GP (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900L (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900L (All versions \u003c V5.6.0), RUGGEDCOM ROS RS900W (All versions \u003c V5.6.0), RUGGEDCOM ROS RS910 (All versions \u003c V5.6.0), RUGGEDCOM ROS RS910L (All versions \u003c V5.6.0), RUGGEDCOM ROS RS910W (All versions \u003c V5.6.0), RUGGEDCOM ROS RS920L (All versions \u003c V5.6.0), RUGGEDCOM ROS RS920W (All versions \u003c V5.6.0), RUGGEDCOM ROS RS930L (All versions \u003c V5.6.0), RUGGEDCOM ROS RS930W (All versions \u003c V5.6.0), RUGGEDCOM ROS RS940G (All versions \u003c V5.6.0), RUGGEDCOM ROS RS969 (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2100 (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2100 (32M) (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2100P (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2100P (32M) (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2200 (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2288 (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2300 (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2300P (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG2488 (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG900 (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG900C (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG900G (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG900R (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG907R (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG908C (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG909R (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG910C (All versions \u003c V5.6.0), RUGGEDCOM ROS RSG920P (All versions \u003c V5.6.0), RUGGEDCOM ROS RSL910 (All versions \u003c V5.6.0), RUGGEDCOM ROS RST2228 (All versions \u003c V5.6.0), RUGGEDCOM ROS RST916C (All versions \u003c V5.6.0), RUGGEDCOM ROS RST916P (All versions \u003c V5.6.0), RUGGEDCOM ROS i800 (All versions \u003c V5.6.0), RUGGEDCOM ROS i801 (All versions \u003c V5.6.0), RUGGEDCOM ROS i802 (All versions \u003c V5.6.0), RUGGEDCOM ROS i803 (All versions \u003c V5.6.0). Unencrypted storage of passwords in the client configuration files and during\nnetwork transmission could allow an attacker in a privileged position to\nobtain access passwords.",
  "id": "GHSA-283q-3r3x-g3rc",
  "modified": "2025-08-12T12:30:31Z",
  "published": "2022-03-09T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37209"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-764417.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-764417.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2CJ7-CJ42-3G7V

Vulnerability from github – Published: 2022-05-14 03:21 – Updated: 2022-05-14 03:21
VLAI
Details

IBM Security Access Manager Appliance 8.0.0 through 8.0.1.6 and 9.0.0 through 9.0.3.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 128605.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-23T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Access Manager Appliance 8.0.0 through 8.0.1.6 and 9.0.0 through 9.0.3.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 128605.",
  "id": "GHSA-2cj7-cj42-3g7v",
  "modified": "2022-05-14T03:21:41Z",
  "published": "2022-05-14T03:21:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1473"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/128605"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22012268"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2CM7-GRW6-W6X7

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. A custom encryption algorithm is used to store encrypted passwords. This algorithm will XOR the password with the hardcoded j7a(L#yZ98sSd5HfSgGjMj8;Ss;d)(&^#@$a2s0i3g value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-29063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-24T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. A custom encryption algorithm is used to store encrypted passwords. This algorithm will XOR the password with the hardcoded *j7a(L#yZ98sSd5HfSgGjMj8;Ss;d)(*\u0026^#@$a2s0i3g value.",
  "id": "GHSA-2cm7-grw6-w6x7",
  "modified": "2022-05-24T17:34:55Z",
  "published": "2022-05-24T17:34:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29063"
    },
    {
      "type": "WEB",
      "url": "https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2CQ3-H4M9-XXXQ

Vulnerability from github – Published: 2022-05-17 00:13 – Updated: 2022-05-17 00:13
VLAI
Details

IBM Security Guardium 9.0, 9.1, and 9.5 supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. IBM X-Force ID: 124746.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1271"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-07T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Guardium 9.0, 9.1, and 9.5 supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. IBM X-Force ID: 124746.",
  "id": "GHSA-2cq3-h4m9-xxxq",
  "modified": "2022-05-17T00:13:22Z",
  "published": "2022-05-17T00:13:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1271"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/124746"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22010435"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102034"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039961"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2FCH-4J3W-44MF

Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29
VLAI
Details

cPanel before 88.0.3, upon an upgrade, establishes predictable PowerDNS API keys (SEC-561).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-25T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "cPanel before 88.0.3, upon an upgrade, establishes predictable PowerDNS API keys (SEC-561).",
  "id": "GHSA-2fch-4j3w-44mf",
  "modified": "2022-05-24T17:29:40Z",
  "published": "2022-05-24T17:29:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26107"
    },
    {
      "type": "WEB",
      "url": "https://docs.cpanel.net/changelogs/88-change-log"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2G4C-JPHF-67P6

Vulnerability from github – Published: 2023-11-09 15:30 – Updated: 2023-11-17 15:30
VLAI
Details

The leakage of channel access token in F.B.P members Line 13.6.1 allows remote attackers to send malicious notifications to victims.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47363"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-09T14:15:07Z",
    "severity": "MODERATE"
  },
  "details": "The leakage of channel access token in F.B.P members Line 13.6.1 allows remote attackers to send malicious notifications to victims.",
  "id": "GHSA-2g4c-jphf-67p6",
  "modified": "2023-11-17T15:30:26Z",
  "published": "2023-11-09T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47363"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syz913/CVE-reports/blob/main/F.B.P%20members.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2G83-V4W9-J66C

Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40
VLAI
Details

An issue was discovered in certain Xerox WorkCentre products. They do not properly encrypt passwords. This affects 3655, 3655i, 58XX, 58XXi 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36201"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-26T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in certain Xerox WorkCentre products. They do not properly encrypt passwords. This affects 3655, 3655i, 58XX, 58XXi 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices.",
  "id": "GHSA-2g83-v4w9-j66c",
  "modified": "2022-05-24T17:40:15Z",
  "published": "2022-05-24T17:40:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36201"
    },
    {
      "type": "WEB",
      "url": "https://securitydocs.business.xerox.com/wp-content/uploads/2020/06/cert_Security_Mini_Bulletin_XRX20L_for_ConnectKey-1.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2G9R-9F99-V27G

Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2023-01-20 18:30
VLAI
Details

yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12872"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-05-15T19:15:00Z",
    "severity": "LOW"
  },
  "details": "yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks.",
  "id": "GHSA-2g9r-9f99-v27g",
  "modified": "2023-01-20T18:30:19Z",
  "published": "2022-05-24T17:17:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12872"
    },
    {
      "type": "WEB",
      "url": "https://github.com/erlyaws/yaws/issues/402"
    },
    {
      "type": "WEB",
      "url": "https://github.com/erlyaws/yaws/blob/c0fd79f17d52628fcec527da7fa3e788c283c445/src/yaws_config.erl#L2068-L2075"
    },
    {
      "type": "WEB",
      "url": "https://github.com/erlyaws/yaws/releases"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@charlielabs101/cve-2020-12872-df315411aa70"
    },
    {
      "type": "WEB",
      "url": "https://sweet32.info"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.