Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

635 vulnerabilities reference this CWE, most recent first.

GHSA-8CGG-HM22-RFWQ

Vulnerability from github – Published: 2022-05-17 03:44 – Updated: 2022-05-17 03:44
VLAI
Details

Huawei AR routers with software before V200R007C00SPC100; Quidway S9300 routers with software before V200R009C00; S12700 routers with software before V200R008C00SPC500; S9300, Quidway S5300, and S5300 routers with software before V200R007C00; and S5700 routers with software before V200R007C00SPC500 make it easier for remote authenticated administrators to obtain and decrypt passwords by leveraging selection of a reversible encryption algorithm.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-8085"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-10-03T21:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Huawei AR routers with software before V200R007C00SPC100; Quidway S9300 routers with software before V200R009C00; S12700 routers with software before V200R008C00SPC500; S9300, Quidway S5300, and S5300 routers with software before V200R007C00; and S5700 routers with software before V200R007C00SPC500 make it easier for remote authenticated administrators to obtain and decrypt passwords by leveraging selection of a reversible encryption algorithm.",
  "id": "GHSA-8cgg-hm22-rfwq",
  "modified": "2022-05-17T03:44:02Z",
  "published": "2022-05-17T03:44:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8085"
    },
    {
      "type": "WEB",
      "url": "http://www.huawei.com/en/psirt/security-advisories/hw-455876"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/76897"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8F9X-X39G-28FC

Vulnerability from github – Published: 2023-08-24 18:30 – Updated: 2024-04-04 07:10
VLAI
Details

An inadequate encryption strength vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows local network clients to decrypt the data using brute force attacks via unspecified vectors.

We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QTS 4.5.4.2467 build 20230718 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTS hero h4.5.4.2476 build 20230728 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-24T17:15:08Z",
    "severity": "HIGH"
  },
  "details": "An inadequate encryption strength vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows local network clients to decrypt the data using brute force attacks via unspecified vectors.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.0.1.2425 build 20230609 and later\nQTS 5.1.0.2444 build 20230629 and later\nQTS 4.5.4.2467 build 20230718 and later\nQuTS hero h5.1.0.2424 build 20230609 and later\nQuTS hero h4.5.4.2476 build 20230728 and later\n",
  "id": "GHSA-8f9x-x39g-28fc",
  "modified": "2024-04-04T07:10:42Z",
  "published": "2023-08-24T18:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34971"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-23-60"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8G45-4CC8-CGMH

Vulnerability from github – Published: 2022-08-12 00:01 – Updated: 2022-08-14 00:00
VLAI
Details

On specific devices, there is a possible bypass of configuration integrity due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-201078231References: N/A

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-11T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "On specific devices, there is a possible bypass of configuration integrity due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-201078231References: N/A",
  "id": "GHSA-8g45-4cc8-cgmh",
  "modified": "2022-08-14T00:00:22Z",
  "published": "2022-08-12T00:01:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20374"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2022-08-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8G6P-5F49-WRW9

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-07-13 00:01
VLAI
Details

IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 194448.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-26T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 194448.",
  "id": "GHSA-8g6p-5f49-wrw9",
  "modified": "2022-07-13T00:01:04Z",
  "published": "2022-05-24T19:09:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20337"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/194448"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6474847"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8PH5-68PQ-3FM9

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2025-03-26 18:30
VLAI
Details

In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36250"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-19T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.",
  "id": "GHSA-8ph5-68pq-3fm9",
  "modified": "2025-03-26T18:30:33Z",
  "published": "2022-05-24T17:42:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36250"
    },
    {
      "type": "WEB",
      "url": "https://owncloud.com/security-advisories/security-lock-can-be-bypassed-by-changing-the-system-date"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8RHW-M58Q-QGM6

Vulnerability from github – Published: 2022-05-14 03:20 – Updated: 2022-05-14 03:20
VLAI
Details

IBM Security Guardium 10.0, 10.0.1, and 10.1 through 10.1.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 124675.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1255"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-02T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Guardium 10.0, 10.0.1, and 10.1 through 10.1.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 124675.",
  "id": "GHSA-8rhw-m58q-qgm6",
  "modified": "2022-05-14T03:20:03Z",
  "published": "2022-05-14T03:20:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1255"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/124675"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22014537"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8VFH-F45H-33PP

Vulnerability from github – Published: 2022-05-14 01:54 – Updated: 2022-05-14 01:54
VLAI
Details

An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. The password encryption method can be retrieved from the firmware. This encryption method is based on a chall value that is sent in cleartext as a POST parameter. An attacker could reverse the password encryption algorithm to retrieve it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-13699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-23T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. The password encryption method can be retrieved from the firmware. This encryption method is based on a chall value that is sent in cleartext as a POST parameter. An attacker could reverse the password encryption algorithm to retrieve it.",
  "id": "GHSA-8vfh-f45h-33pp",
  "modified": "2022-05-14T01:54:40Z",
  "published": "2022-05-14T01:54:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13699"
    },
    {
      "type": "WEB",
      "url": "https://www.sentryo.net/wp-content/uploads/2017/11/Switch-Moxa-Analysis.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106047"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8VH3-29MR-M9XG

Vulnerability from github – Published: 2021-09-01 18:31 – Updated: 2021-08-30 21:53
VLAI
Summary
Inadequate Encryption Strength in showdoc
Details

showdoc makes use of a hardcoded salt in its user password hash function

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "showdoc/showdoc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.9.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T21:53:31Z",
    "nvd_published_at": "2021-08-04T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "showdoc makes use of a hardcoded salt in its user password hash function\n\n",
  "id": "GHSA-8vh3-29mr-m9xg",
  "modified": "2021-08-30T21:53:31Z",
  "published": "2021-09-01T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3680"
    },
    {
      "type": "WEB",
      "url": "https://github.com/star7th/showdoc/commit/4b962c1740311e0d46775023b6acba39ad60e370"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/star7th/showdoc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/star7th/showdoc/blob/fd1740234a12804b45af9cac3563567d83ba414d/server/Application/Home/Model/UserModel.class.php#L20"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/76b49607-fba9-4100-9be7-cb459fe6cfe2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inadequate Encryption Strength in showdoc"
}

GHSA-8VQM-PJ2F-G578

Vulnerability from github – Published: 2023-06-30 18:31 – Updated: 2024-04-04 05:19
VLAI
Details

An issue was discovered in SubmitEntityAction in Wikibase in MediaWiki through 1.39.3. Because it doesn't use EditEntity for undo and restore, the intended interaction with AbuseFilter does not occur.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37301"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-30T17:15:09Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in SubmitEntityAction in Wikibase in MediaWiki through 1.39.3. Because it doesn\u0027t use EditEntity for undo and restore, the intended interaction with AbuseFilter does not occur.",
  "id": "GHSA-8vqm-pj2f-g578",
  "modified": "2024-04-04T05:19:00Z",
  "published": "2023-06-30T18:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37301"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/933663"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T250720"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8WR8-GR7J-V6CG

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-07-13 00:01
VLAI
Details

A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-09T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification.",
  "id": "GHSA-8wr8-gr7j-v6cg",
  "modified": "2022-07-13T00:01:10Z",
  "published": "2022-05-24T19:07:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24020"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-21-027"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.