CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
632 vulnerabilities reference this CWE, most recent first.
GHSA-3WMF-WHVW-C22M
Vulnerability from github – Published: 2026-07-07 12:31 – Updated: 2026-07-08 21:30The encryption algorithm used to protect the configuration of user accounts, stored in the built-in user directory of PcVue projects, all versions prior to 17.0.0, is not strong enough for the level of protection required. A local attacker could alter the existing configuration and ultimately gain privileged access to the PcVue application.
{
"affected": [],
"aliases": [
"CVE-2026-14868"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-07T10:16:40Z",
"severity": "HIGH"
},
"details": "The encryption algorithm used to protect the configuration of user accounts, stored in the built-in user directory of PcVue projects, all\u00a0versions prior to 17.0.0, is not strong enough for the level of protection required. A local attacker could alter the existing configuration and ultimately gain privileged access to the PcVue application.",
"id": "GHSA-3wmf-whvw-c22m",
"modified": "2026-07-08T21:30:25Z",
"published": "2026-07-07T12:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14868"
},
{
"type": "WEB",
"url": "https://www.pcvue.com/security/#SB2026-5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-3WX7-46CH-7RQ2
Vulnerability from github – Published: 2022-07-06 19:57 – Updated: 2024-06-24 21:24AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was pre-existing in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed.
Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "openssl-src"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "111.22.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "openssl-src"
},
"ranges": [
{
"events": [
{
"introduced": "300.0.0"
},
{
"fixed": "300.0.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2097"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-326",
"CWE-327"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-06T19:57:19Z",
"nvd_published_at": "2022-07-05T11:15:00Z",
"severity": "HIGH"
},
"details": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was pre-existing in the memory that wasn\u0027t written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed.\n\nSince OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.",
"id": "GHSA-3wx7-46ch-7rq2",
"modified": "2024-06-24T21:24:18Z",
"published": "2022-07-06T19:57:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097"
},
{
"type": "WEB",
"url": "https://www.openssl.org/news/secadv/20220705.txt"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5343"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240621-0006"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230420-0008"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220715-0011"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202210-02"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0032.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/alexcrichton/openssl-src-rs"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a98f339ddd7e8f487d6e0088d4a9a42324885a93"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=919925673d6c9cfed3c1085497f5dfbbed5fc431"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a98f339ddd7e8f487d6e0088d4a9a42324885a93"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cfed3c1085497f5dfbbed5fc431"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "AES OCB fails to encrypt some bytes"
}
GHSA-3X5W-JX9Q-34GC
Vulnerability from github – Published: 2022-05-17 02:58 – Updated: 2022-05-17 02:58An issue was discovered in certain Apple products. iOS before 10.1 is affected. The issue involves the "iTunes Backup" component, which improperly hashes passwords, making it easier to decrypt files.
{
"affected": [],
"aliases": [
"CVE-2016-4685"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-20T08:59:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in certain Apple products. iOS before 10.1 is affected. The issue involves the \"iTunes Backup\" component, which improperly hashes passwords, making it easier to decrypt files.",
"id": "GHSA-3x5w-jx9q-34gc",
"modified": "2022-05-17T02:58:03Z",
"published": "2022-05-17T02:58:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4685"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207271"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94432"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3X7R-H96M-8M94
Vulnerability from github – Published: 2022-05-07 00:00 – Updated: 2022-05-19 00:00Weak web transport security (Weak TLS): An attacker may be able to decrypt the data using attacks
{
"affected": [],
"aliases": [
"CVE-2021-27761"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-06T18:15:00Z",
"severity": "HIGH"
},
"details": "Weak web transport security (Weak TLS): An attacker may be able to decrypt the data using attacks",
"id": "GHSA-3x7r-h96m-8m94",
"modified": "2022-05-19T00:00:37Z",
"published": "2022-05-07T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27761"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0098116"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4288-5JH6-5936
Vulnerability from github – Published: 2022-05-14 03:37 – Updated: 2022-05-14 03:37IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 139003.
{
"affected": [],
"aliases": [
"CVE-2018-1425"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-27T17:29:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 139003.",
"id": "GHSA-4288-5jh6-5936",
"modified": "2022-05-14T03:37:15Z",
"published": "2022-05-14T03:37:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1425"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/139033"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22013751"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103229"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-429X-PHJ9-4788
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2023-08-08 15:31An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret.
{
"affected": [],
"aliases": [
"CVE-2021-23126"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-04T18:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret.",
"id": "GHSA-429x-phj9-4788",
"modified": "2023-08-08T15:31:16Z",
"published": "2022-05-24T17:43:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23126"
},
{
"type": "WEB",
"url": "https://developer.joomla.org/security-centre/841-20210301-core-insecure-randomness-within-2fa-secret-generation.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-42C8-GHXG-4F28
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-07-13 00:01In Charm 0.43, any single user can decrypt DAC-MACS or MA-ABE-YJ14 data.
{
"affected": [],
"aliases": [
"CVE-2021-37587"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-30T14:15:00Z",
"severity": "MODERATE"
},
"details": "In Charm 0.43, any single user can decrypt DAC-MACS or MA-ABE-YJ14 data.",
"id": "GHSA-42c8-ghxg-4f28",
"modified": "2022-07-13T00:01:34Z",
"published": "2022-05-24T19:09:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37587"
},
{
"type": "WEB",
"url": "https://github.com/JHUISI/charm/issues/276"
},
{
"type": "WEB",
"url": "https://eprint.iacr.org/2020/460"
},
{
"type": "WEB",
"url": "https://jhuisi.github.io/charm/_modules/abenc_maabe_yj14.html"
},
{
"type": "WEB",
"url": "https://jhuisi.github.io/charm/charm/schemes/abenc/abenc_dacmacs_yj14.html"
},
{
"type": "WEB",
"url": "https://www2.hci.uni-hannover.de/papers/Tan2019.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-43HF-R4F6-553P
Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2023-05-16 21:30ABB eSOMS versions 4.0 to 6.0.3 accept connections using medium strength ciphers. If a connection is enabled using such a cipher, an attacker might be able to eavesdrop and/or intercept the connection.
{
"affected": [],
"aliases": [
"CVE-2019-19097"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-02T20:15:00Z",
"severity": "MODERATE"
},
"details": "ABB eSOMS versions 4.0 to 6.0.3 accept connections using medium strength ciphers. If a connection is enabled using such a cipher, an attacker might be able to eavesdrop and/or intercept the connection.",
"id": "GHSA-43hf-r4f6-553p",
"modified": "2023-05-16T21:30:17Z",
"published": "2022-05-24T17:13:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19097"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-442G-GCG6-MHM4
Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2022-11-22 19:04An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.typesafe.play:play-ws_2.12"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.6.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-17598"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-22T19:04:39Z",
"nvd_published_at": "2019-11-05T15:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host.",
"id": "GHSA-442g-gcg6-mhm4",
"modified": "2022-11-22T19:04:39Z",
"published": "2022-05-24T22:01:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17598"
},
{
"type": "WEB",
"url": "https://www.playframework.com/security/vulnerability"
},
{
"type": "WEB",
"url": "https://www.playframework.com/security/vulnerability/CVE-2019-17598-PlayWSHttpConnectAuthorizationHeaders"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Play Framework Inadequate Encryption Strength vulnerability"
}
GHSA-4497-XVM3-5VH9
Vulnerability from github – Published: 2025-11-22 00:31 – Updated: 2025-12-03 21:31With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection.
{
"affected": [],
"aliases": [
"CVE-2025-11935"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-21T22:16:18Z",
"severity": "MODERATE"
},
"details": "With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a\u00a0server responded to a ClientHello containing psk_dhe_ke without a key_share extension.\u00a0The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection.",
"id": "GHSA-4497-xvm3-5vh9",
"modified": "2025-12-03T21:31:01Z",
"published": "2025-11-22T00:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11935"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/pull/9112"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.