CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
632 vulnerabilities reference this CWE, most recent first.
GHSA-45M8-H637-23MM
Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2023-07-24 15:30MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 uses the MD5 algorithm to hash the passwords before storing them but does not salt the hash. As a result, attackers may be able to crack the hashed passwords.
{
"affected": [],
"aliases": [
"CVE-2022-21800"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-327"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-18T18:15:00Z",
"severity": "MODERATE"
},
"details": "MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 uses the MD5 algorithm to hash the passwords before storing them but does not salt the hash. As a result, attackers may be able to crack the hashed passwords.",
"id": "GHSA-45m8-h637-23mm",
"modified": "2023-07-24T15:30:19Z",
"published": "2022-02-19T00:01:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21800"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-034-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-465G-5CJ6-WF64
Vulnerability from github – Published: 2022-05-17 02:51 – Updated: 2025-04-20 03:34The Mxit protocol uses weak encryption when encrypting user passwords, which might allow attackers to (1) decrypt hashed passwords by leveraging knowledge of client registration codes or (2) gain login access by eavesdropping on login messages and re-using the hashed passwords.
{
"affected": [],
"aliases": [
"CVE-2016-2379"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-29T20:59:00Z",
"severity": "HIGH"
},
"details": "The Mxit protocol uses weak encryption when encrypting user passwords, which might allow attackers to (1) decrypt hashed passwords by leveraging knowledge of client registration codes or (2) gain login access by eavesdropping on login messages and re-using the hashed passwords.",
"id": "GHSA-465g-5cj6-wf64",
"modified": "2025-04-20T03:34:58Z",
"published": "2022-05-17T02:51:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2379"
},
{
"type": "WEB",
"url": "https://pidgin.im/news/security/?id=95"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-38"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91335"
},
{
"type": "WEB",
"url": "http://www.talosintelligence.com/reports/TALOS-2016-0122"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-468W-RC5F-76WX
Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-17 00:00Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice
{
"affected": [],
"aliases": [
"CVE-2022-37401"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-326",
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-15T11:21:00Z",
"severity": "HIGH"
},
"details": "Apache OpenOffice supports the storage of passwords for web connections in the user\u0027s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice",
"id": "GHSA-468w-rc5f-76wx",
"modified": "2022-08-17T00:00:22Z",
"published": "2022-08-16T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37401"
},
{
"type": "WEB",
"url": "https://www.openoffice.org/security/cves/CVE-2022-37401.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/08/13/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4862-X8VR-278V
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37IBM InfoSphere Streams 4.2.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 134632.
{
"affected": [],
"aliases": [
"CVE-2017-1713"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-21T15:59:00Z",
"severity": "MODERATE"
},
"details": "IBM InfoSphere Streams 4.2.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 134632.",
"id": "GHSA-4862-x8vr-278v",
"modified": "2022-05-13T01:37:02Z",
"published": "2022-05-13T01:37:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1713"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/134632"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22016056"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-48CR-J2CX-MCR8
Vulnerability from github – Published: 2024-09-25 09:30 – Updated: 2025-07-11 15:04Inadequate Encryption Strength vulnerability in Apache Answer.
This issue affects Apache Answer: through 1.3.5.
Using the MD5 value of a user's email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead. Users are recommended to upgrade to version 1.4.0, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/apache/incubator-answer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-40761"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-25T14:31:51Z",
"nvd_published_at": "2024-09-25T08:15:04Z",
"severity": "MODERATE"
},
"details": "Inadequate Encryption Strength vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 1.3.5.\n\nUsing the MD5 value of a user\u0027s email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead.\nUsers are recommended to upgrade to version 1.4.0, which fixes the issue.",
"id": "GHSA-48cr-j2cx-mcr8",
"modified": "2025-07-11T15:04:13Z",
"published": "2024-09-25T09:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40761"
},
{
"type": "WEB",
"url": "https://github.com/apache/incubator-answer/commit/c3a17046c6c3be1cec16ba49d07d9f7742b7260f"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/incubator-answer"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/09/25/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/09/25/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/09/25/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/09/25/7"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/09/25/8"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/09/26/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/09/26/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/09/26/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/09/27/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/09/27/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/09/27/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green",
"type": "CVSS_V4"
}
],
"summary": "Apache Answer: Avatar URL leaked user email addresses"
}
GHSA-49RV-55MV-J6CW
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:54Vulnerability of 5G messages being sent without being encrypted in a VPN environment in the SMS message module. Successful exploitation of this vulnerability may affect confidentiality.
{
"affected": [],
"aliases": [
"CVE-2023-41305"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:28Z",
"severity": "HIGH"
},
"details": "Vulnerability of 5G messages being sent without being encrypted in a VPN environment in the SMS message module. Successful exploitation of this vulnerability may affect confidentiality.",
"id": "GHSA-49rv-55mv-j6cw",
"modified": "2024-04-04T07:54:07Z",
"published": "2023-09-27T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41305"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2023/9"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202309-0000001638925158"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4CGJ-CRGG-XWGF
Vulnerability from github – Published: 2022-05-14 01:53 – Updated: 2022-05-14 01:53Vulnerable hash algorithms exists in Schneider Electric's Modicon Premium, Modicon Quantum, Modicon M340, and BMXNOR0200 controllers in all versions of the communication modules. The algorithm used to encrypt the password is vulnerable to hash collision attacks.
{
"affected": [],
"aliases": [
"CVE-2018-7242"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-18T20:29:00Z",
"severity": "CRITICAL"
},
"details": "Vulnerable hash algorithms exists in Schneider Electric\u0027s Modicon Premium, Modicon Quantum, Modicon M340, and BMXNOR0200 controllers in all versions of the communication modules. The algorithm used to encrypt the password is vulnerable to hash collision attacks.",
"id": "GHSA-4cgj-crgg-xwgf",
"modified": "2022-05-14T01:53:03Z",
"published": "2022-05-14T01:53:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7242"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-086-01"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-081-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103543"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4CH5-CGM2-X6H9
Vulnerability from github – Published: 2023-02-11 03:32 – Updated: 2023-02-21 18:30SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2022-34385"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-11T01:23:00Z",
"severity": "MODERATE"
},
"details": "SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.",
"id": "GHSA-4ch5-cgm2-x6h9",
"modified": "2023-02-21T18:30:24Z",
"published": "2023-02-11T03:32:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34385"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000204114"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4F66-7259-G5WM
Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2023-08-08 15:31A Broken or Risky Cryptographic Algorithm exists in AnonAddy 0.8.5 via VerificationController.php.
{
"affected": [],
"aliases": [
"CVE-2021-42216"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-327"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A Broken or Risky Cryptographic Algorithm exists in AnonAddy 0.8.5 via VerificationController.php.",
"id": "GHSA-4f66-7259-g5wm",
"modified": "2023-08-08T15:31:24Z",
"published": "2021-12-16T00:01:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42216"
},
{
"type": "WEB",
"url": "https://github.com/anonaddy/anonaddy/blob/0478d9e8d364787f203113544123048a41f022c0/app/Http/Controllers/Auth/VerificationController.php#L67"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/419f4e8a-ee15-4f80-bcbf-5c83513515dd"
},
{
"type": "WEB",
"url": "http://anonaddy.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4H4H-MCVX-FFV6
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32On BIG-IP 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, when negotiating IPSec tunnels with configured, authenticated peers, the peer may negotiate a different key length than the BIG-IP configuration would otherwise allow.
{
"affected": [],
"aliases": [
"CVE-2020-5938"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-29T14:15:00Z",
"severity": "MODERATE"
},
"details": "On BIG-IP 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, when negotiating IPSec tunnels with configured, authenticated peers, the peer may negotiate a different key length than the BIG-IP configuration would otherwise allow.",
"id": "GHSA-4h4h-mcvx-ffv6",
"modified": "2022-05-24T17:32:43Z",
"published": "2022-05-24T17:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5938"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K76610106"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.