CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
633 vulnerabilities reference this CWE, most recent first.
GHSA-3HJ5-HHQ7-F54X
Vulnerability from github – Published: 2022-05-14 03:47 – Updated: 2022-05-14 03:47In the Procter & Gamble "Oral-B App" (aka com.pg.oralb.oralbapp) application 5.0.0 for Android, AES encryption with static parameters is used to secure the locally stored shared preferences. An attacker can gain access to locally stored user data more easily by leveraging access to the preferences XML file.
{
"affected": [],
"aliases": [
"CVE-2018-5298"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-08T08:29:00Z",
"severity": "HIGH"
},
"details": "In the Procter \u0026 Gamble \"Oral-B App\" (aka com.pg.oralb.oralbapp) application 5.0.0 for Android, AES encryption with static parameters is used to secure the locally stored shared preferences. An attacker can gain access to locally stored user data more easily by leveraging access to the preferences XML file.",
"id": "GHSA-3hj5-hhq7-f54x",
"modified": "2022-05-14T03:47:38Z",
"published": "2022-05-14T03:47:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5298"
},
{
"type": "WEB",
"url": "https://1337sec.blogspot.de/2018/01/auditing-oral-b-app-v500.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3JRW-Q59W-MPR2
Vulnerability from github – Published: 2025-06-03 15:31 – Updated: 2025-06-03 21:30An issue was discovered in Unicom Focal Point 7.6.1. The database is encrypted with a hardcoded key, making it easier to recover the cleartext data.
{
"affected": [],
"aliases": [
"CVE-2025-43925"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-03T15:15:58Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Unicom Focal Point 7.6.1. The database is encrypted with a hardcoded key, making it easier to recover the cleartext data.",
"id": "GHSA-3jrw-q59w-mpr2",
"modified": "2025-06-03T21:30:37Z",
"published": "2025-06-03T15:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43925"
},
{
"type": "WEB",
"url": "https://www.unicomsi.com/products/focal-point"
},
{
"type": "WEB",
"url": "https://www.unicomsi.com/security-advisory"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3MPR-VW5V-HQ89
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-07-13 00:01In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.
{
"affected": [],
"aliases": [
"CVE-2021-37551"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-06T14:15:00Z",
"severity": "MODERATE"
},
"details": "In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.",
"id": "GHSA-3mpr-vw5v-hq89",
"modified": "2022-07-13T00:01:34Z",
"published": "2022-05-24T19:10:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37551"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3MVX-8XGC-HH5R
Vulnerability from github – Published: 2022-04-21 00:00 – Updated: 2022-05-01 00:00Hills ComNav version 3002-19 suffers from a weak communication channel. Traffic across the local network for the configuration pages can be viewed by a malicious actor. The size of certain communications packets are predictable. This would allow an attacker to learn the state of the system if they can observe the traffic. This would be possible even if the traffic were encrypted, e.g., using WPA2, as the packet sizes would remain observable. The communication encryption scheme is theoretically sound, but is not strong enough for the level of protection required.
{
"affected": [],
"aliases": [
"CVE-2022-1318"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-20T16:15:00Z",
"severity": "MODERATE"
},
"details": "Hills ComNav version 3002-19 suffers from a weak communication channel. Traffic across the local network for the configuration pages can be viewed by a malicious actor. The size of certain communications packets are predictable. This would allow an attacker to learn the state of the system if they can observe the traffic. This would be possible even if the traffic were encrypted, e.g., using WPA2, as the packet sizes would remain observable. The communication encryption scheme is theoretically sound, but is not strong enough for the level of protection required.",
"id": "GHSA-3mvx-8xgc-hh5r",
"modified": "2022-05-01T00:00:38Z",
"published": "2022-04-21T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1318"
},
{
"type": "WEB",
"url": "https://www.corporate.carrier.com/Images/CARR-PSA-Hills-ComNav-002-1121_tcm558-149392.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3PCW-VP3F-6HVH
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37Beckhoff TwinCAT supports communication over ADS. ADS is a protocol for industrial automation in protected environments. ADS has not been designed to achieve security purposes and therefore does not include any encryption algorithms because of their negative effect on performance and throughput. An attacker can forge arbitrary ADS packets when legitimate ADS traffic is observable.
{
"affected": [],
"aliases": [
"CVE-2017-16726"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-27T19:29:00Z",
"severity": "CRITICAL"
},
"details": "Beckhoff TwinCAT supports communication over ADS. ADS is a protocol for industrial automation in protected environments. ADS has not been designed to achieve security purposes and therefore does not include any encryption algorithms because of their negative effect on performance and throughput. An attacker can forge arbitrary ADS packets when legitimate ADS traffic is observable.",
"id": "GHSA-3pcw-vp3f-6hvh",
"modified": "2022-05-13T01:37:21Z",
"published": "2022-05-13T01:37:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16726"
},
{
"type": "WEB",
"url": "https://download.beckhoff.com/download/Document/product-security/Advisories/advisory-2017-001.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3QPW-79H9-Q4JC
Vulnerability from github – Published: 2022-05-17 03:00 – Updated: 2022-05-17 03:00IBM AppScan Source uses a one-way hash without salt to encrypt highly sensitive information, which could allow a local attacker to decrypt information more easily.
{
"affected": [],
"aliases": [
"CVE-2016-3034"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-01T20:59:00Z",
"severity": "MODERATE"
},
"details": "IBM AppScan Source uses a one-way hash without salt to encrypt highly sensitive information, which could allow a local attacker to decrypt information more easily.",
"id": "GHSA-3qpw-79h9-q4jc",
"modified": "2022-05-17T03:00:02Z",
"published": "2022-05-17T03:00:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3034"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg21995903"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95195"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3QRC-JGQF-VG35
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-16 18:31When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A might be shown with the security status of message B. This vulnerability affects Thunderbird < 91.9.
{
"affected": [],
"aliases": [
"CVE-2022-1520"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-346"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A might be shown with the security status of message B. This vulnerability affects Thunderbird \u003c 91.9.",
"id": "GHSA-3qrc-jgqf-vg35",
"modified": "2025-04-16T18:31:35Z",
"published": "2022-12-22T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1520"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1745019"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3R87-4XWQ-XH86
Vulnerability from github – Published: 2025-11-10 21:30 – Updated: 2025-11-10 21:30Inappropriate implementation in App-Bound Encryption in Google Chrome on Windows prior to 142.0.7444.59 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2025-12439"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-10T20:15:38Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in App-Bound Encryption in Google Chrome on Windows prior to 142.0.7444.59 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium)",
"id": "GHSA-3r87-4xwq-xh86",
"modified": "2025-11-10T21:30:35Z",
"published": "2025-11-10T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12439"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/382234536"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3W5V-CCPQ-XW6C
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2023-08-08 15:31In Charm 0.43, any two users can collude to achieve the ability to decrypt YCT14 data.
{
"affected": [],
"aliases": [
"CVE-2021-37588"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-30T14:15:00Z",
"severity": "MODERATE"
},
"details": "In Charm 0.43, any two users can collude to achieve the ability to decrypt YCT14 data.",
"id": "GHSA-3w5v-ccpq-xw6c",
"modified": "2023-08-08T15:31:19Z",
"published": "2022-05-24T19:09:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37588"
},
{
"type": "WEB",
"url": "https://github.com/JHUISI/charm/issues/276"
},
{
"type": "WEB",
"url": "https://eprint.iacr.org/2020/460"
},
{
"type": "WEB",
"url": "https://github.com/JHUISI/charm/blob/dev/charm/schemes/abenc/abenc_yct14.py"
},
{
"type": "WEB",
"url": "https://www2.hci.uni-hannover.de/papers/Tan2019.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3W75-3VFV-C67R
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 134177.
{
"affected": [],
"aliases": [
"CVE-2017-1695"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-15T20:29:00Z",
"severity": "HIGH"
},
"details": "IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 134177.",
"id": "GHSA-3w75-3vfv-c67r",
"modified": "2022-05-13T01:37:02Z",
"published": "2022-05-13T01:37:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1695"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/134177"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10719107"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107060"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.