Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

631 vulnerabilities reference this CWE, most recent first.

GHSA-8G45-4CC8-CGMH

Vulnerability from github – Published: 2022-08-12 00:01 – Updated: 2022-08-14 00:00
VLAI
Details

On specific devices, there is a possible bypass of configuration integrity due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-201078231References: N/A

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-11T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "On specific devices, there is a possible bypass of configuration integrity due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-201078231References: N/A",
  "id": "GHSA-8g45-4cc8-cgmh",
  "modified": "2022-08-14T00:00:22Z",
  "published": "2022-08-12T00:01:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20374"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2022-08-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8G6P-5F49-WRW9

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-07-13 00:01
VLAI
Details

IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 194448.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-26T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 194448.",
  "id": "GHSA-8g6p-5f49-wrw9",
  "modified": "2022-07-13T00:01:04Z",
  "published": "2022-05-24T19:09:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20337"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/194448"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6474847"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8PH5-68PQ-3FM9

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2025-03-26 18:30
VLAI
Details

In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36250"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-19T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.",
  "id": "GHSA-8ph5-68pq-3fm9",
  "modified": "2025-03-26T18:30:33Z",
  "published": "2022-05-24T17:42:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36250"
    },
    {
      "type": "WEB",
      "url": "https://owncloud.com/security-advisories/security-lock-can-be-bypassed-by-changing-the-system-date"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8RHW-M58Q-QGM6

Vulnerability from github – Published: 2022-05-14 03:20 – Updated: 2022-05-14 03:20
VLAI
Details

IBM Security Guardium 10.0, 10.0.1, and 10.1 through 10.1.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 124675.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1255"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-02T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Guardium 10.0, 10.0.1, and 10.1 through 10.1.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 124675.",
  "id": "GHSA-8rhw-m58q-qgm6",
  "modified": "2022-05-14T03:20:03Z",
  "published": "2022-05-14T03:20:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1255"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/124675"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22014537"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8VFH-F45H-33PP

Vulnerability from github – Published: 2022-05-14 01:54 – Updated: 2022-05-14 01:54
VLAI
Details

An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. The password encryption method can be retrieved from the firmware. This encryption method is based on a chall value that is sent in cleartext as a POST parameter. An attacker could reverse the password encryption algorithm to retrieve it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-13699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-23T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. The password encryption method can be retrieved from the firmware. This encryption method is based on a chall value that is sent in cleartext as a POST parameter. An attacker could reverse the password encryption algorithm to retrieve it.",
  "id": "GHSA-8vfh-f45h-33pp",
  "modified": "2022-05-14T01:54:40Z",
  "published": "2022-05-14T01:54:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13699"
    },
    {
      "type": "WEB",
      "url": "https://www.sentryo.net/wp-content/uploads/2017/11/Switch-Moxa-Analysis.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106047"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8VH3-29MR-M9XG

Vulnerability from github – Published: 2021-09-01 18:31 – Updated: 2021-08-30 21:53
VLAI
Summary
Inadequate Encryption Strength in showdoc
Details

showdoc makes use of a hardcoded salt in its user password hash function

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "showdoc/showdoc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.9.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T21:53:31Z",
    "nvd_published_at": "2021-08-04T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "showdoc makes use of a hardcoded salt in its user password hash function\n\n",
  "id": "GHSA-8vh3-29mr-m9xg",
  "modified": "2021-08-30T21:53:31Z",
  "published": "2021-09-01T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3680"
    },
    {
      "type": "WEB",
      "url": "https://github.com/star7th/showdoc/commit/4b962c1740311e0d46775023b6acba39ad60e370"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/star7th/showdoc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/star7th/showdoc/blob/fd1740234a12804b45af9cac3563567d83ba414d/server/Application/Home/Model/UserModel.class.php#L20"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/76b49607-fba9-4100-9be7-cb459fe6cfe2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inadequate Encryption Strength in showdoc"
}

GHSA-8VQM-PJ2F-G578

Vulnerability from github – Published: 2023-06-30 18:31 – Updated: 2024-04-04 05:19
VLAI
Details

An issue was discovered in SubmitEntityAction in Wikibase in MediaWiki through 1.39.3. Because it doesn't use EditEntity for undo and restore, the intended interaction with AbuseFilter does not occur.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37301"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-30T17:15:09Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in SubmitEntityAction in Wikibase in MediaWiki through 1.39.3. Because it doesn\u0027t use EditEntity for undo and restore, the intended interaction with AbuseFilter does not occur.",
  "id": "GHSA-8vqm-pj2f-g578",
  "modified": "2024-04-04T05:19:00Z",
  "published": "2023-06-30T18:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37301"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/933663"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T250720"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8WR8-GR7J-V6CG

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-07-13 00:01
VLAI
Details

A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-09T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification.",
  "id": "GHSA-8wr8-gr7j-v6cg",
  "modified": "2022-07-13T00:01:10Z",
  "published": "2022-05-24T19:07:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24020"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-21-027"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8WVX-W97G-7FQ3

Vulnerability from github – Published: 2024-08-13 09:30 – Updated: 2024-08-13 09:30
VLAI
Details

A vulnerability has been identified in Location Intelligence family (All versions < V4.4). The web server of affected products is configured to support weak ciphers by default. This could allow an unauthenticated attacker in an on-path position to to read and modify any data passed over the connection between legitimate clients and the affected device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41681"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T08:15:11Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in Location Intelligence family (All versions \u003c V4.4). The web server of affected products is configured to support weak ciphers  by default. This could allow an unauthenticated attacker in an on-path position to to read and modify any data passed over the connection between legitimate clients and the affected device.",
  "id": "GHSA-8wvx-w97g-7fq3",
  "modified": "2024-08-13T09:30:52Z",
  "published": "2024-08-13T09:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41681"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-720392.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9225-WWJ6-C3W3

Vulnerability from github – Published: 2023-06-30 03:30 – Updated: 2024-04-04 05:18
VLAI
Details

Exposure of information intended to be encrypted by some Zoom clients may lead to disclosure of sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-30T03:15:09Z",
    "severity": "HIGH"
  },
  "details": "\nExposure of information intended to be encrypted by some Zoom clients may lead to disclosure of sensitive information.\n\n",
  "id": "GHSA-9225-wwj6-c3w3",
  "modified": "2024-04-04T05:18:36Z",
  "published": "2023-06-30T03:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36539"
    },
    {
      "type": "WEB",
      "url": "https://explore.zoom.us/en/trust/security/security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.