CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
633 vulnerabilities reference this CWE, most recent first.
GHSA-W9QR-G73G-88CW
Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2021-12-28 00:01Dell Wyse Management Suite version 3.3.1 and prior support insecure Transport Security Protocols TLS 1.0 and TLS 1.1 which are susceptible to Man-In-The-Middle attacks thereby compromising Confidentiality and Integrity of data.
{
"affected": [],
"aliases": [
"CVE-2021-36337"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-21T17:15:00Z",
"severity": "HIGH"
},
"details": "Dell Wyse Management Suite version 3.3.1 and prior support insecure Transport Security Protocols TLS 1.0 and TLS 1.1 which are susceptible to Man-In-The-Middle attacks thereby compromising Confidentiality and Integrity of data.",
"id": "GHSA-w9qr-g73g-88cw",
"modified": "2021-12-28T00:01:16Z",
"published": "2021-12-22T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36337"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000193079"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WC3X-QJ47-37MG
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2024-04-04 02:54The private-key operations in ecc.c in wolfSSL before 4.4.0 do not use a constant-time modular inverse when mapping to affine coordinates, aka a "projective coordinates leak."
{
"affected": [],
"aliases": [
"CVE-2020-11735"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-25T14:15:00Z",
"severity": "MODERATE"
},
"details": "The private-key operations in ecc.c in wolfSSL before 4.4.0 do not use a constant-time modular inverse when mapping to affine coordinates, aka a \"projective coordinates leak.\"",
"id": "GHSA-wc3x-qj47-37mg",
"modified": "2024-04-04T02:54:35Z",
"published": "2022-05-24T17:21:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11735"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/commit/1de07da61f0c8e9926dcbd68119f73230dae283f"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/releases/tag/v4.4.0-stable"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WH9W-PC8Q-W744
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28In various functions in fscrypt_ice.c and related files in some implementations of f2fs encryption that use encryption hardware which only supports 32-bit IVs (Initialization Vectors), 64-bit IVs are used and later are truncated to 32 bits. This may cause IV reuse and thus weakened disk encryption. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-153450752References: N/A
{
"affected": [],
"aliases": [
"CVE-2020-0407"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-17T16:15:00Z",
"severity": "MODERATE"
},
"details": "In various functions in fscrypt_ice.c and related files in some implementations of f2fs encryption that use encryption hardware which only supports 32-bit IVs (Initialization Vectors), 64-bit IVs are used and later are truncated to 32 bits. This may cause IV reuse and thus weakened disk encryption. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-153450752References: N/A",
"id": "GHSA-wh9w-pc8q-w744",
"modified": "2022-05-24T17:28:49Z",
"published": "2022-05-24T17:28:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0407"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2020-09-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WJ23-CPP8-Q2WC
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14IBM Security Access Manager for Web 9.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 114462.
{
"affected": [],
"aliases": [
"CVE-2016-3019"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-07T17:29:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Access Manager for Web 9.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 114462.",
"id": "GHSA-wj23-cpp8-q2wc",
"modified": "2022-05-13T01:14:03Z",
"published": "2022-05-13T01:14:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3019"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/114462"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg21988419"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98832"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038616"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WM3Q-JWQR-F6R7
Vulnerability from github – Published: 2023-11-09 15:30 – Updated: 2023-11-20 18:30The leakage of channel access token in DRAGON FAMILY Line 13.6.1 allows remote attackers to send malicious notifications to victims.
{
"affected": [],
"aliases": [
"CVE-2023-47373"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-09T15:15:09Z",
"severity": "MODERATE"
},
"details": "The leakage of channel access token in DRAGON FAMILY Line 13.6.1 allows remote attackers to send malicious notifications to victims.",
"id": "GHSA-wm3q-jwqr-f6r7",
"modified": "2023-11-20T18:30:46Z",
"published": "2023-11-09T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47373"
},
{
"type": "WEB",
"url": "https://github.com/syz913/CVE-reports/blob/main/DRAGON%20FAMILY.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WMXW-5JH4-P3J8
Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users.
{
"affected": [],
"aliases": [
"CVE-2019-10907"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-07T14:29:00Z",
"severity": "CRITICAL"
},
"details": "Airsonic 10.2.1 uses Spring\u0027s default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users.",
"id": "GHSA-wmxw-5jh4-p3j8",
"modified": "2022-05-13T01:21:57Z",
"published": "2022-05-13T01:21:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10907"
},
{
"type": "WEB",
"url": "https://github.com/airsonic/airsonic/commit/3e07ea52885f88d3fbec444dfd592f27bfb65647"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WP37-JVQQ-RRMF
Vulnerability from github – Published: 2022-04-30 18:21 – Updated: 2024-02-14 18:30Alt-N Technologies Mdaemon 5.0 through 5.0.6 uses a weak encryption algorithm to store user passwords, which allows local users to crack passwords.
{
"affected": [],
"aliases": [
"CVE-2002-1739"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2002-12-31T05:00:00Z",
"severity": "LOW"
},
"details": "Alt-N Technologies Mdaemon 5.0 through 5.0.6 uses a weak encryption algorithm to store user passwords, which allows local users to crack passwords.",
"id": "GHSA-wp37-jvqq-rrmf",
"modified": "2024-02-14T18:30:22Z",
"published": "2022-04-30T18:21:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1739"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/9025"
},
{
"type": "WEB",
"url": "http://online.securityfocus.com/archive/1/271374"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/4686"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WP56-RP8W-8P9W
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36An Inadequate Encryption Strength issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). Decryption of data is possible at the hardware level.
{
"affected": [],
"aliases": [
"CVE-2017-9645"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-20T16:29:00Z",
"severity": "MODERATE"
},
"details": "An Inadequate Encryption Strength issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). Decryption of data is possible at the hardware level.",
"id": "GHSA-wp56-rp8w-8p9w",
"modified": "2022-05-13T01:36:07Z",
"published": "2022-05-13T01:36:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9645"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-208-02"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WQ95-V39H-77G7
Vulnerability from github – Published: 2022-05-14 02:12 – Updated: 2022-05-14 02:12An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Security" component, which makes it easier for attackers to bypass cryptographic protection mechanisms by leveraging use of the 3DES cipher.
{
"affected": [],
"aliases": [
"CVE-2016-4693"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-20T08:59:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the \"Security\" component, which makes it easier for attackers to bypass cryptographic protection mechanisms by leveraging use of the 3DES cipher.",
"id": "GHSA-wq95-v39h-77g7",
"modified": "2022-05-14T02:12:44Z",
"published": "2022-05-14T02:12:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4693"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207422"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207423"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207487"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94905"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037469"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WQX4-CGQQ-CPGW
Vulnerability from github – Published: 2025-07-03 12:34 – Updated: 2025-07-03 12:34The hard drives of the device are not encrypted using a full volume encryption feature such as BitLocker. This allows an attacker with physical access to the device to use an alternative operating system to interact with the hard drives, completely circumventing the Windows login. The attacker can read from and write to all files on the hard drives.
{
"affected": [],
"aliases": [
"CVE-2025-27460"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-03T12:15:24Z",
"severity": "HIGH"
},
"details": "The hard drives of the device are not encrypted using a full volume encryption feature such as BitLocker. This allows an attacker with physical access to the device to use an alternative operating system to interact with the hard drives, completely circumventing the Windows login. The attacker can read from and write to all files on the hard drives.",
"id": "GHSA-wqx4-cgqq-cpgw",
"modified": "2025-07-03T12:34:58Z",
"published": "2025-07-03T12:34:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27460"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"type": "WEB",
"url": "https://www.endress.com"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.