CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
631 vulnerabilities reference this CWE, most recent first.
GHSA-6WJF-4887-CJ22
Vulnerability from github – Published: 2022-04-30 18:22 – Updated: 2024-02-14 18:30Sharp Zaurus PDA SL-5000D and SL-5500 uses a salt of "A0" to encrypt the screen-locking password as stored in the Security.conf file, which makes it easier for local users to guess the password via brute force methods.
{
"affected": [],
"aliases": [
"CVE-2002-1975"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2002-12-31T05:00:00Z",
"severity": "LOW"
},
"details": "Sharp Zaurus PDA SL-5000D and SL-5500 uses a salt of \"A0\" to encrypt the screen-locking password as stored in the Security.conf file, which makes it easier for local users to guess the password via brute force methods.",
"id": "GHSA-6wjf-4887-cj22",
"modified": "2024-02-14T18:30:23Z",
"published": "2022-04-30T18:22:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1975"
},
{
"type": "WEB",
"url": "http://online.securityfocus.com/archive/1/281437"
},
{
"type": "WEB",
"url": "http://www.iss.net/security_center/static/9535.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/5201"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6X5V-HWXC-Q4HH
Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2022-05-24 22:00The Print Service is susceptible to man in the middle attacks due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115635664
{
"affected": [],
"aliases": [
"CVE-2019-9399"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-27T19:15:00Z",
"severity": "MODERATE"
},
"details": "The Print Service is susceptible to man in the middle attacks due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115635664",
"id": "GHSA-6x5v-hwxc-q4hh",
"modified": "2022-05-24T22:00:53Z",
"published": "2022-05-24T22:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9399"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-10"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-722R-MGVR-P46C
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36The GridServer Broker, GridServer Driver, and GridServer Engine components of TIBCO Software Inc. TIBCO DataSynapse GridServer Manager contain vulnerabilities related to both the improper use of encryption mechanisms and the use of weak ciphers. A malicious actor could theoretically compromise the traffic between any of the components. Affected releases include TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager: versions up to and including 5.1.3; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; and 6.2.0.
{
"affected": [],
"aliases": [
"CVE-2017-5535"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-01T18:29:00Z",
"severity": "MODERATE"
},
"details": "The GridServer Broker, GridServer Driver, and GridServer Engine components of TIBCO Software Inc. TIBCO DataSynapse GridServer Manager contain vulnerabilities related to both the improper use of encryption mechanisms and the use of weak ciphers. A malicious actor could theoretically compromise the traffic between any of the components. Affected releases include TIBCO Software Inc.\u0027s TIBCO DataSynapse GridServer Manager: versions up to and including 5.1.3; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; and 6.2.0.",
"id": "GHSA-722r-mgvr-p46c",
"modified": "2022-05-13T01:36:37Z",
"published": "2022-05-13T01:36:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5535"
},
{
"type": "WEB",
"url": "https://www.tibco.com/support/advisories/2018/05/security-advisory-may-1-2018-tibco-datasynapse-gridserver-2017-5535"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-73VM-8JVG-JPQH
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-05-24 17:17** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7.0.x has Incorrect Access Control for admingui/version URIs in the Administration console, as demonstrated by unauthenticated read access to encryption keys. NOTE: a related support policy can be found in the www.oracle.com references attached to this CVE.
{
"affected": [],
"aliases": [
"CVE-2020-9315"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-10T23:15:00Z",
"severity": "MODERATE"
},
"details": "** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7.0.x has Incorrect Access Control for admingui/version URIs in the Administration console, as demonstrated by unauthenticated read access to encryption keys. NOTE: a related support policy can be found in the www.oracle.com references attached to this CVE.",
"id": "GHSA-73vm-8jvg-jpqh",
"modified": "2022-05-24T17:17:38Z",
"published": "2022-05-24T17:17:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9315"
},
{
"type": "WEB",
"url": "https://www.oracle.com/support/lifetime-support"
},
{
"type": "WEB",
"url": "https://www.oracle.com/us/assets/lifetime-support-middleware-069163.pdf"
},
{
"type": "WEB",
"url": "https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/May/31"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-75FW-M5QW-HFX6
Vulnerability from github – Published: 2022-05-17 00:24 – Updated: 2022-05-17 00:24WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
{
"affected": [],
"aliases": [
"CVE-2012-6707"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-19T19:29:00Z",
"severity": "HIGH"
},
"details": "WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.",
"id": "GHSA-75fw-m5qw-hfx6",
"modified": "2022-05-17T00:24:37Z",
"published": "2022-05-17T00:24:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6707"
},
{
"type": "WEB",
"url": "https://core.trac.wordpress.org/ticket/21022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-75HR-42CM-P5WQ
Vulnerability from github – Published: 2022-09-06 00:00 – Updated: 2022-09-09 00:00The Simple Single Sign On WordPress plugin through 4.1.0 leaks its OAuth client_secret, which could be used by attackers to gain unauthorized access to the site.
{
"affected": [],
"aliases": [
"CVE-2022-2083"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-319",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-05T13:15:00Z",
"severity": "HIGH"
},
"details": "The Simple Single Sign On WordPress plugin through 4.1.0 leaks its OAuth client_secret, which could be used by attackers to gain unauthorized access to the site.",
"id": "GHSA-75hr-42cm-p5wq",
"modified": "2022-09-09T00:00:57Z",
"published": "2022-09-06T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2083"
},
{
"type": "WEB",
"url": "https://lana.codes/lanavdb/0bab7575-45fc-432d-945e-6100c35c574c"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/2bbfc855-6901-462f-8a93-120d7fb5d268"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-75JP-83J7-2672
Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2024-04-03 23:52A Security Bypass vulnerability exists in PolarSSL 0.99pre4 through 1.1.1 due to a weak encryption error when generating Diffie-Hellman values and RSA keys.
{
"affected": [],
"aliases": [
"CVE-2012-2130"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-06T18:15:00Z",
"severity": "HIGH"
},
"details": "A Security Bypass vulnerability exists in PolarSSL 0.99pre4 through 1.1.1 due to a weak encryption error when generating Diffie-Hellman values and RSA keys.",
"id": "GHSA-75jp-83j7-2672",
"modified": "2024-04-03T23:52:46Z",
"published": "2022-04-23T00:40:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2130"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2012-2130"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2130"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75726"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2130"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-201310-10.xml"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/53610"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-75M4-949R-9374
Vulnerability from github – Published: 2023-11-09 15:30 – Updated: 2023-11-20 18:30The leakage of channel access token in bluetrick Line 13.6.1 allows remote attackers to send malicious notifications to victims.
{
"affected": [],
"aliases": [
"CVE-2023-47370"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-09T15:15:08Z",
"severity": "MODERATE"
},
"details": "The leakage of channel access token in bluetrick Line 13.6.1 allows remote attackers to send malicious notifications to victims.",
"id": "GHSA-75m4-949r-9374",
"modified": "2023-11-20T18:30:46Z",
"published": "2023-11-09T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47370"
},
{
"type": "WEB",
"url": "https://github.com/syz913/CVE-reports/blob/main/bluetrick.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-75QM-M8R5-4CCG
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-07-13 00:01An inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information Disclosure. An attacker may realistically have enough information that the number of possible keys (for a credential file) is only one, and the number is usually not higher than 2^36.
{
"affected": [],
"aliases": [
"CVE-2021-31796"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-02T01:15:00Z",
"severity": "HIGH"
},
"details": "An inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information Disclosure. An attacker may realistically have enough information that the number of possible keys (for a credential file) is only one, and the number is usually not higher than 2^36.",
"id": "GHSA-75qm-m8r5-4ccg",
"modified": "2022-07-13T00:01:24Z",
"published": "2022-05-24T19:12:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31796"
},
{
"type": "WEB",
"url": "https://korelogic.com/Resources/Advisories/KL-001-2021-008.txt"
},
{
"type": "WEB",
"url": "https://www.cyberark.com/resources/blog"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/164023/CyberArk-Credential-File-Insufficient-Effective-Key-Space.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Sep/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-78GP-57MF-H678
Vulnerability from github – Published: 2022-02-17 00:00 – Updated: 2022-02-24 00:00IBM Maximo Anywhere 7.6.4.0 could allow an attacker to reverse engineer the application due to the lack of binary protection precautions. IBM X-Force ID: 160697.
{
"affected": [],
"aliases": [
"CVE-2019-4291"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-16T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Maximo Anywhere 7.6.4.0 could allow an attacker to reverse engineer the application due to the lack of binary protection precautions. IBM X-Force ID: 160697.",
"id": "GHSA-78gp-57mf-h678",
"modified": "2022-02-24T00:00:58Z",
"published": "2022-02-17T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4291"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/160697"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6556834"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.