CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
633 vulnerabilities reference this CWE, most recent first.
GHSA-2XWP-M7MQ-7Q3R
Vulnerability from github – Published: 2020-10-28 17:05 – Updated: 2020-10-28 17:04In the affected versions, the AWS Encryption CLI operated in "discovery mode" even when "strict mode" was specified. Although decryption only succeeded if the user had permission to decrypt with at least one of the CMKs, decryption could be successful using a CMK that was not included in the user-defined set when the CLI was operating in "strict mode."
Affected users should upgrade to Encryption CLI v1.8.x or v2.1.x as soon as possible.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "aws-encryption-sdk-cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "aws-encryption-sdk-cli"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2020-10-28T17:04:54Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "In the affected versions, the AWS Encryption CLI operated in \"discovery mode\" even when \"strict mode\" was specified. Although decryption only succeeded if the user had permission to decrypt with at least one of the CMKs, decryption could be successful using a CMK that was not included in the user-defined set when the CLI was operating in \"strict mode.\"\n\nAffected users should upgrade to Encryption CLI v1.8.x or v2.1.x as soon as possible.",
"id": "GHSA-2xwp-m7mq-7q3r",
"modified": "2020-10-28T17:04:54Z",
"published": "2020-10-28T17:05:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/aws-encryption-sdk-cli/security/advisories/GHSA-2xwp-m7mq-7q3r"
},
{
"type": "WEB",
"url": "https://github.com/aws/aws-encryption-sdk-cli/commit/7d21b8051cab9e52e056fe427d2bff19cf146460"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "CLI does not correctly implement strict mode"
}
GHSA-3276-P9F2-8Q89
Vulnerability from github – Published: 2022-04-21 01:57 – Updated: 2024-02-07 21:31TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the "forgot password" function.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-frontend"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-frontend"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2010-3670"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-07T21:31:25Z",
"nvd_published_at": "2019-11-05T20:15:00Z",
"severity": "MODERATE"
},
"details": "TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the \"forgot password\" function.",
"id": "GHSA-3276-p9f2-8q89",
"modified": "2024-02-07T21:31:25Z",
"published": "2022-04-21T01:57:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3670"
},
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/commit/09ab77653161f23e266470a5984d4d5e64588355"
},
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/commit/c03e944d200bf427bb18cad15f2ad36bc83061c9"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719"
},
{
"type": "PACKAGE",
"url": "https://github.com/TYPO3-CMS/frontend"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-3670"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-sa-2010-012/#Insecure_Randomness"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "TYPO3 is vulnerable to insecure randomness during hash generation in forgot password function"
}
GHSA-33J2-92XF-FWM3
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2023-07-06 19:24HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. Fixed in 1.13.2
{
"affected": [],
"aliases": [
"CVE-2023-2197"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-01T20:15:14Z",
"severity": null
},
"details": "HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the\u00a0CKM_AES_CBC_PAD or\u00a0CKM_AES_CBC encryption mechanisms.\u00a0An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault\u2019s root key. Fixed in 1.13.2",
"id": "GHSA-33j2-92xf-fwm3",
"modified": "2023-07-06T19:24:19Z",
"published": "2023-07-06T19:24:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2197"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2023-14-vault-enterprise-vulnerable-to-padding-oracle-attacks-when-using-a-cbc-based-encryption-mechanism-with-a-hsm/53322"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-35HG-F9QQ-236G
Vulnerability from github – Published: 2023-10-17 15:30 – Updated: 2024-04-04 08:43Eaton easyE4 PLC offers a device password protection functionality to facilitate a secure connection and prevent unauthorized access. It was observed that the device password was stored with a weak encoding algorithm in the easyE4 program file when exported to SD card (*.PRG file ending).
{
"affected": [],
"aliases": [
"CVE-2023-43776"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-17T13:15:11Z",
"severity": "MODERATE"
},
"details": "Eaton easyE4 PLC offers a device password protection functionality to facilitate a secure connection and prevent unauthorized access. It was observed that the device password was stored with a weak encoding algorithm in the easyE4 program file when exported to SD card (*.PRG file ending).",
"id": "GHSA-35hg-f9qq-236g",
"modified": "2024-04-04T08:43:07Z",
"published": "2023-10-17T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43776"
},
{
"type": "WEB",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2023-1010.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-35M5-8CVJ-8783
Vulnerability from github – Published: 2021-11-10 16:28 – Updated: 2024-09-20 16:50Impact
The vulnerability is we used MD5 hashing Algorithm In our hashing file. If anyone who is a beginner(and doesn't know about hashes) can face problems as MD5 is considered a Insecure Hashing Algorithm.
Patches
The vulnerability is patched in v1.1.4 of the product, the users can upgrade to version 1.1.4.
Workarounds
If u specifically want a version and don't want to upgrade, you can remove the MD5 hashing function from the file hashing.py and this vulnerability will be gone
References
https://www.cybersecurity-help.cz/vdb/cwe/916/ https://www.cybersecurity-help.cz/vdb/cwe/327/ https://www.cybersecurity-help.cz/vdb/cwe/328/ https://www.section.io/engineering-education/what-is-md5/ https://www.johndcook.com/blog/2019/01/24/reversing-an-md5-hash/
For more information
If you have any questions or comments about this advisory: * Open an issue in Enrocrypt's Official Repo * Create a Discussion in Enrocrypt's Official Repo
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "enrocrypt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-39182"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-327",
"CWE-328",
"CWE-916"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-08T18:58:04Z",
"nvd_published_at": "2021-11-08T15:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe vulnerability is we used MD5 hashing Algorithm In our hashing file. If anyone who is a beginner(and doesn\u0027t know about hashes) can face problems as MD5 is considered a Insecure Hashing Algorithm. \n\n### Patches\nThe vulnerability is patched in v1.1.4 of the product, the users can upgrade to version 1.1.4.\n\n### Workarounds\nIf u specifically want a version and don\u0027t want to upgrade, you can remove the `MD5` hashing function from the file `hashing.py` and this vulnerability will be gone\n\n### References\nhttps://www.cybersecurity-help.cz/vdb/cwe/916/\nhttps://www.cybersecurity-help.cz/vdb/cwe/327/\nhttps://www.cybersecurity-help.cz/vdb/cwe/328/\nhttps://www.section.io/engineering-education/what-is-md5/\nhttps://www.johndcook.com/blog/2019/01/24/reversing-an-md5-hash/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [**Enrocrypt\u0027s Official Repo**](http://www.github.com/Morgan-Phoenix/EnroCrypt)\n* Create a Discussion in [**Enrocrypt\u0027s Official Repo**](http://www.github.com/Morgan-Phoenix/EnroCrypt)\n",
"id": "GHSA-35m5-8cvj-8783",
"modified": "2024-09-20T16:50:32Z",
"published": "2021-11-10T16:28:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Morgan-Phoenix/EnroCrypt/security/advisories/GHSA-35m5-8cvj-8783"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39182"
},
{
"type": "WEB",
"url": "https://github.com/Morgan-Phoenix/EnroCrypt/commit/e652d56ac60eadfc26489ab83927af13a9b9d8ce"
},
{
"type": "PACKAGE",
"url": "https://github.com/Morgan-Phoenix/EnroCrypt"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/enrocrypt/PYSEC-2021-385.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Improper hashing in enrocrypt"
}
GHSA-36H5-VRQ6-PP34
Vulnerability from github – Published: 2026-01-13 14:53 – Updated: 2026-01-21 16:23Vulnerability
https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L869-L870
https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L894-L895
The salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key.
Impact
Pre-computation attacks.
Severity is considered low for internal uses of this library and high for consumers of this library.
Patches
Jervis will generate a random salt for each password and store it alongside the ciphertext.
Upgrade to Jervis 2.2.
Workarounds
None
References
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "net.gleske:jervis"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68703"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-13T14:53:50Z",
"nvd_published_at": "2026-01-13T20:16:07Z",
"severity": "HIGH"
},
"details": "### Vulnerability\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L869-L870\n\nhttps://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L894-L895\n\nThe salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key.\n\n### Impact\n\nPre-computation attacks.\n\nSeverity is considered low for internal uses of this library and high for consumers of this library.\n\n### Patches\n\nJervis will generate a random salt for each password and store it alongside the ciphertext.\n\nUpgrade to Jervis 2.2.\n\n### Workarounds\n\nNone\n\n### References\n\n- [NIST SP 800-132: Password-Based Key Derivation](https://csrc.nist.gov/publications/detail/sp/800-132/final)",
"id": "GHSA-36h5-vrq6-pp34",
"modified": "2026-01-21T16:23:01Z",
"published": "2026-01-13T14:53:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/samrocketman/jervis/security/advisories/GHSA-36h5-vrq6-pp34"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68703"
},
{
"type": "WEB",
"url": "https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a"
},
{
"type": "PACKAGE",
"url": "https://github.com/samrocketman/jervis"
},
{
"type": "WEB",
"url": "https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L869-L870"
},
{
"type": "WEB",
"url": "https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy#L894-L895"
},
{
"type": "WEB",
"url": "http://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Jervis\u0027s Salt for PBKDF2 derived from password"
}
GHSA-39VM-P9MR-4R27
Vulnerability from github – Published: 2022-05-17 05:22 – Updated: 2024-09-12 21:05Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "beaker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2012-3458"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-01T10:58:46Z",
"nvd_published_at": "2012-09-15T17:55:00Z",
"severity": "MODERATE"
},
"details": "Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.",
"id": "GHSA-39vm-p9mr-4r27",
"modified": "2024-09-12T21:05:41Z",
"published": "2022-05-17T05:22:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3458"
},
{
"type": "WEB",
"url": "https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=809267"
},
{
"type": "PACKAGE",
"url": "https://github.com/bbangert/beaker"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/beaker/PYSEC-2012-1.yaml"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20140724164516/http://secunia.com/advisories/50226"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20140725025612/http://secunia.com/advisories/50520"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2012/dsa-2541"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/08/13/10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Beaker Sensitive Information Disclosure vulnerability"
}
GHSA-3F38-96QM-R3FW
Vulnerability from github – Published: 2023-11-09 18:34 – Updated: 2023-11-15 18:21An issue discovered in esptool 4.6.2 allows attackers to view sensitive information via weak cryptographic algorithm.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "esptool"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46894"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-09T22:10:33Z",
"nvd_published_at": "2023-11-09T16:15:34Z",
"severity": "HIGH"
},
"details": "An issue discovered in esptool 4.6.2 allows attackers to view sensitive information via weak cryptographic algorithm.",
"id": "GHSA-3f38-96qm-r3fw",
"modified": "2023-11-15T18:21:59Z",
"published": "2023-11-09T18:34:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46894"
},
{
"type": "WEB",
"url": "https://github.com/espressif/esptool/issues/926"
},
{
"type": "PACKAGE",
"url": "https://github.com/espressif/esptool"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/esptool/PYSEC-2023-234.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "esptool allows attackers to view sensitive information via weak cryptographic algorithm"
}
GHSA-3GG4-V4M9-RJ55
Vulnerability from github – Published: 2024-01-24 00:30 – Updated: 2024-03-21 03:36Lantronix XPort sends weakly encoded credentials within web request headers.
{
"affected": [],
"aliases": [
"CVE-2023-7237"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-23T22:15:16Z",
"severity": "MODERATE"
},
"details": "\nLantronix XPort sends weakly encoded credentials within web request headers.\n\n",
"id": "GHSA-3gg4-v4m9-rj55",
"modified": "2024-03-21T03:36:24Z",
"published": "2024-01-24T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7237"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-05"
},
{
"type": "WEB",
"url": "https://www.lantronix.com/products/xport-edge"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3GQ3-5GQH-97P3
Vulnerability from github – Published: 2022-05-17 02:57 – Updated: 2022-05-17 02:57IBM QRadar 7.2 uses outdated hashing algorithms to hash certain passwords, which could allow a local user to obtain and decrypt user credentials. IBM Reference #: 1997341.
{
"affected": [],
"aliases": [
"CVE-2016-2879"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-01T21:59:00Z",
"severity": "HIGH"
},
"details": "IBM QRadar 7.2 uses outdated hashing algorithms to hash certain passwords, which could allow a local user to obtain and decrypt user credentials. IBM Reference #: 1997341.",
"id": "GHSA-3gq3-5gqh-97p3",
"modified": "2022-05-17T02:57:03Z",
"published": "2022-05-17T02:57:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2879"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg21997341"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96502"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.