Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

633 vulnerabilities reference this CWE, most recent first.

GHSA-W9QR-G73G-88CW

Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2021-12-28 00:01
VLAI
Details

Dell Wyse Management Suite version 3.3.1 and prior support insecure Transport Security Protocols TLS 1.0 and TLS 1.1 which are susceptible to Man-In-The-Middle attacks thereby compromising Confidentiality and Integrity of data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-21T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dell Wyse Management Suite version 3.3.1 and prior support insecure Transport Security Protocols TLS 1.0 and TLS 1.1 which are susceptible to Man-In-The-Middle attacks thereby compromising Confidentiality and Integrity of data.",
  "id": "GHSA-w9qr-g73g-88cw",
  "modified": "2021-12-28T00:01:16Z",
  "published": "2021-12-22T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36337"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000193079"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WC3X-QJ47-37MG

Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2024-04-04 02:54
VLAI
Details

The private-key operations in ecc.c in wolfSSL before 4.4.0 do not use a constant-time modular inverse when mapping to affine coordinates, aka a "projective coordinates leak."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-25T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The private-key operations in ecc.c in wolfSSL before 4.4.0 do not use a constant-time modular inverse when mapping to affine coordinates, aka a \"projective coordinates leak.\"",
  "id": "GHSA-wc3x-qj47-37mg",
  "modified": "2024-04-04T02:54:35Z",
  "published": "2022-05-24T17:21:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11735"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wolfSSL/wolfssl/commit/1de07da61f0c8e9926dcbd68119f73230dae283f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wolfSSL/wolfssl/releases/tag/v4.4.0-stable"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WH9W-PC8Q-W744

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28
VLAI
Details

In various functions in fscrypt_ice.c and related files in some implementations of f2fs encryption that use encryption hardware which only supports 32-bit IVs (Initialization Vectors), 64-bit IVs are used and later are truncated to 32 bits. This may cause IV reuse and thus weakened disk encryption. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-153450752References: N/A

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0407"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-17T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In various functions in fscrypt_ice.c and related files in some implementations of f2fs encryption that use encryption hardware which only supports 32-bit IVs (Initialization Vectors), 64-bit IVs are used and later are truncated to 32 bits. This may cause IV reuse and thus weakened disk encryption. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-153450752References: N/A",
  "id": "GHSA-wh9w-pc8q-w744",
  "modified": "2022-05-24T17:28:49Z",
  "published": "2022-05-24T17:28:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0407"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2020-09-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WJ23-CPP8-Q2WC

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

IBM Security Access Manager for Web 9.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 114462.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-3019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-07T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Access Manager for Web 9.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 114462.",
  "id": "GHSA-wj23-cpp8-q2wc",
  "modified": "2022-05-13T01:14:03Z",
  "published": "2022-05-13T01:14:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3019"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/114462"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg21988419"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98832"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038616"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WM3Q-JWQR-F6R7

Vulnerability from github – Published: 2023-11-09 15:30 – Updated: 2023-11-20 18:30
VLAI
Details

The leakage of channel access token in DRAGON FAMILY Line 13.6.1 allows remote attackers to send malicious notifications to victims.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47373"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-09T15:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The leakage of channel access token in DRAGON FAMILY Line 13.6.1 allows remote attackers to send malicious notifications to victims.",
  "id": "GHSA-wm3q-jwqr-f6r7",
  "modified": "2023-11-20T18:30:46Z",
  "published": "2023-11-09T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47373"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syz913/CVE-reports/blob/main/DRAGON%20FAMILY.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMXW-5JH4-P3J8

Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21
VLAI
Details

Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-10907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-07T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Airsonic 10.2.1 uses Spring\u0027s default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users.",
  "id": "GHSA-wmxw-5jh4-p3j8",
  "modified": "2022-05-13T01:21:57Z",
  "published": "2022-05-13T01:21:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10907"
    },
    {
      "type": "WEB",
      "url": "https://github.com/airsonic/airsonic/commit/3e07ea52885f88d3fbec444dfd592f27bfb65647"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WP37-JVQQ-RRMF

Vulnerability from github – Published: 2022-04-30 18:21 – Updated: 2024-02-14 18:30
VLAI
Details

Alt-N Technologies Mdaemon 5.0 through 5.0.6 uses a weak encryption algorithm to store user passwords, which allows local users to crack passwords.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2002-1739"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2002-12-31T05:00:00Z",
    "severity": "LOW"
  },
  "details": "Alt-N Technologies Mdaemon 5.0 through 5.0.6 uses a weak encryption algorithm to store user passwords, which allows local users to crack passwords.",
  "id": "GHSA-wp37-jvqq-rrmf",
  "modified": "2024-02-14T18:30:22Z",
  "published": "2022-04-30T18:21:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1739"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/9025"
    },
    {
      "type": "WEB",
      "url": "http://online.securityfocus.com/archive/1/271374"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/4686"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WP56-RP8W-8P9W

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

An Inadequate Encryption Strength issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). Decryption of data is possible at the hardware level.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-20T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An Inadequate Encryption Strength issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). Decryption of data is possible at the hardware level.",
  "id": "GHSA-wp56-rp8w-8p9w",
  "modified": "2022-05-13T01:36:07Z",
  "published": "2022-05-13T01:36:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9645"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-208-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQ95-V39H-77G7

Vulnerability from github – Published: 2022-05-14 02:12 – Updated: 2022-05-14 02:12
VLAI
Details

An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Security" component, which makes it easier for attackers to bypass cryptographic protection mechanisms by leveraging use of the 3DES cipher.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-4693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-20T08:59:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the \"Security\" component, which makes it easier for attackers to bypass cryptographic protection mechanisms by leveraging use of the 3DES cipher.",
  "id": "GHSA-wq95-v39h-77g7",
  "modified": "2022-05-14T02:12:44Z",
  "published": "2022-05-14T02:12:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4693"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT207422"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT207423"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT207487"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94905"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037469"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQX4-CGQQ-CPGW

Vulnerability from github – Published: 2025-07-03 12:34 – Updated: 2025-07-03 12:34
VLAI
Details

The hard drives of the device are not encrypted using a full volume encryption feature such as BitLocker. This allows an attacker with physical access to the device to use an alternative operating system to interact with the hard drives, completely circumventing the Windows login. The attacker can read from and write to all files on the hard drives.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27460"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T12:15:24Z",
    "severity": "HIGH"
  },
  "details": "The hard drives of the device are not encrypted using a full volume encryption feature such as BitLocker. This allows an attacker with physical access to the device to use an alternative operating system to interact with the hard drives, completely circumventing the Windows login. The attacker can read from and write to all files on the hard drives.",
  "id": "GHSA-wqx4-cgqq-cpgw",
  "modified": "2025-07-03T12:34:58Z",
  "published": "2025-07-03T12:34:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27460"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
    },
    {
      "type": "WEB",
      "url": "https://www.endress.com"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/3.1"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.