CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
631 vulnerabilities reference this CWE, most recent first.
GHSA-8G45-4CC8-CGMH
Vulnerability from github – Published: 2022-08-12 00:01 – Updated: 2022-08-14 00:00On specific devices, there is a possible bypass of configuration integrity due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-201078231References: N/A
{
"affected": [],
"aliases": [
"CVE-2022-20374"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-11T15:15:00Z",
"severity": "HIGH"
},
"details": "On specific devices, there is a possible bypass of configuration integrity due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-201078231References: N/A",
"id": "GHSA-8g45-4cc8-cgmh",
"modified": "2022-08-14T00:00:22Z",
"published": "2022-08-12T00:01:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20374"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-08-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8G6P-5F49-WRW9
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-07-13 00:01IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 194448.
{
"affected": [],
"aliases": [
"CVE-2021-20337"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-26T12:15:00Z",
"severity": "HIGH"
},
"details": "IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 194448.",
"id": "GHSA-8g6p-5f49-wrw9",
"modified": "2022-07-13T00:01:04Z",
"published": "2022-05-24T19:09:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20337"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/194448"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6474847"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8PH5-68PQ-3FM9
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2025-03-26 18:30In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.
{
"affected": [],
"aliases": [
"CVE-2020-36250"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-19T07:15:00Z",
"severity": "MODERATE"
},
"details": "In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.",
"id": "GHSA-8ph5-68pq-3fm9",
"modified": "2025-03-26T18:30:33Z",
"published": "2022-05-24T17:42:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36250"
},
{
"type": "WEB",
"url": "https://owncloud.com/security-advisories/security-lock-can-be-bypassed-by-changing-the-system-date"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8RHW-M58Q-QGM6
Vulnerability from github – Published: 2022-05-14 03:20 – Updated: 2022-05-14 03:20IBM Security Guardium 10.0, 10.0.1, and 10.1 through 10.1.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 124675.
{
"affected": [],
"aliases": [
"CVE-2017-1255"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-02T13:29:00Z",
"severity": "HIGH"
},
"details": "IBM Security Guardium 10.0, 10.0.1, and 10.1 through 10.1.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 124675.",
"id": "GHSA-8rhw-m58q-qgm6",
"modified": "2022-05-14T03:20:03Z",
"published": "2022-05-14T03:20:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1255"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/124675"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22014537"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8VFH-F45H-33PP
Vulnerability from github – Published: 2022-05-14 01:54 – Updated: 2022-05-14 01:54An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. The password encryption method can be retrieved from the firmware. This encryption method is based on a chall value that is sent in cleartext as a POST parameter. An attacker could reverse the password encryption algorithm to retrieve it.
{
"affected": [],
"aliases": [
"CVE-2017-13699"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-23T21:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. The password encryption method can be retrieved from the firmware. This encryption method is based on a chall value that is sent in cleartext as a POST parameter. An attacker could reverse the password encryption algorithm to retrieve it.",
"id": "GHSA-8vfh-f45h-33pp",
"modified": "2022-05-14T01:54:40Z",
"published": "2022-05-14T01:54:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13699"
},
{
"type": "WEB",
"url": "https://www.sentryo.net/wp-content/uploads/2017/11/Switch-Moxa-Analysis.pdf"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106047"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8VH3-29MR-M9XG
Vulnerability from github – Published: 2021-09-01 18:31 – Updated: 2021-08-30 21:53showdoc makes use of a hardcoded salt in its user password hash function
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "showdoc/showdoc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.9.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3680"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-30T21:53:31Z",
"nvd_published_at": "2021-08-04T13:15:00Z",
"severity": "MODERATE"
},
"details": "showdoc makes use of a hardcoded salt in its user password hash function\n\n",
"id": "GHSA-8vh3-29mr-m9xg",
"modified": "2021-08-30T21:53:31Z",
"published": "2021-09-01T18:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3680"
},
{
"type": "WEB",
"url": "https://github.com/star7th/showdoc/commit/4b962c1740311e0d46775023b6acba39ad60e370"
},
{
"type": "PACKAGE",
"url": "https://github.com/star7th/showdoc"
},
{
"type": "WEB",
"url": "https://github.com/star7th/showdoc/blob/fd1740234a12804b45af9cac3563567d83ba414d/server/Application/Home/Model/UserModel.class.php#L20"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/76b49607-fba9-4100-9be7-cb459fe6cfe2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Inadequate Encryption Strength in showdoc"
}
GHSA-8VQM-PJ2F-G578
Vulnerability from github – Published: 2023-06-30 18:31 – Updated: 2024-04-04 05:19An issue was discovered in SubmitEntityAction in Wikibase in MediaWiki through 1.39.3. Because it doesn't use EditEntity for undo and restore, the intended interaction with AbuseFilter does not occur.
{
"affected": [],
"aliases": [
"CVE-2023-37301"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-30T17:15:09Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in SubmitEntityAction in Wikibase in MediaWiki through 1.39.3. Because it doesn\u0027t use EditEntity for undo and restore, the intended interaction with AbuseFilter does not occur.",
"id": "GHSA-8vqm-pj2f-g578",
"modified": "2024-04-04T05:19:00Z",
"published": "2023-06-30T18:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37301"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/933663"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T250720"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8WR8-GR7J-V6CG
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-07-13 00:01A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification.
{
"affected": [],
"aliases": [
"CVE-2021-24020"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-09T19:15:00Z",
"severity": "CRITICAL"
},
"details": "A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification.",
"id": "GHSA-8wr8-gr7j-v6cg",
"modified": "2022-07-13T00:01:10Z",
"published": "2022-05-24T19:07:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24020"
},
{
"type": "WEB",
"url": "https://fortiguard.com/advisory/FG-IR-21-027"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8WVX-W97G-7FQ3
Vulnerability from github – Published: 2024-08-13 09:30 – Updated: 2024-08-13 09:30A vulnerability has been identified in Location Intelligence family (All versions < V4.4). The web server of affected products is configured to support weak ciphers by default. This could allow an unauthenticated attacker in an on-path position to to read and modify any data passed over the connection between legitimate clients and the affected device.
{
"affected": [],
"aliases": [
"CVE-2024-41681"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-13T08:15:11Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in Location Intelligence family (All versions \u003c V4.4). The web server of affected products is configured to support weak ciphers by default. This could allow an unauthenticated attacker in an on-path position to to read and modify any data passed over the connection between legitimate clients and the affected device.",
"id": "GHSA-8wvx-w97g-7fq3",
"modified": "2024-08-13T09:30:52Z",
"published": "2024-08-13T09:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41681"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-720392.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9225-WWJ6-C3W3
Vulnerability from github – Published: 2023-06-30 03:30 – Updated: 2024-04-04 05:18Exposure of information intended to be encrypted by some Zoom clients may lead to disclosure of sensitive information.
{
"affected": [],
"aliases": [
"CVE-2023-36539"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-30T03:15:09Z",
"severity": "HIGH"
},
"details": "\nExposure of information intended to be encrypted by some Zoom clients may lead to disclosure of sensitive information.\n\n",
"id": "GHSA-9225-wwj6-c3w3",
"modified": "2024-04-04T05:18:36Z",
"published": "2023-06-30T03:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36539"
},
{
"type": "WEB",
"url": "https://explore.zoom.us/en/trust/security/security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.