CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
631 vulnerabilities reference this CWE, most recent first.
GHSA-92WP-JGHR-HH87
Vulnerability from github – Published: 2024-06-07 00:30 – Updated: 2024-06-07 19:36The encrypt() function of Ninja Core v7.0.0 was discovered to use a weak cryptographic algorithm, leading to a possible leakage of sensitive information.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.ninjaframework:ninja-core"
},
"versions": [
"7.0.0"
]
}
],
"aliases": [
"CVE-2024-36823"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-07T19:36:27Z",
"nvd_published_at": "2024-06-06T22:15:10Z",
"severity": "MODERATE"
},
"details": "The encrypt() function of Ninja Core v7.0.0 was discovered to use a weak cryptographic algorithm, leading to a possible leakage of sensitive information.",
"id": "GHSA-92wp-jghr-hh87",
"modified": "2024-06-07T19:36:27Z",
"published": "2024-06-07T00:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36823"
},
{
"type": "WEB",
"url": "https://github.com/ninjaframework/ninja/issues/759"
},
{
"type": "PACKAGE",
"url": "https://github.com/ninjaframework/ninja"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Weak encryption in Ninja Core"
}
GHSA-92WQ-Q9PQ-GW47
Vulnerability from github – Published: 2023-05-17 17:07 – Updated: 2023-05-25 19:07Impact
Existing Dgraph audit logs are vulnerable to brute force attacks due to nonce collisions. All audit logs generated by versions of Dgraph <v23.0.0 are affected.
Patches
This issue was patched in https://github.com/dgraph-io/dgraph/pull/8323. Dgraph users should upgrade to v23.0.0.
Workarounds
Store existing audit logs in a secure location. For extra security, encrypt using a tool like gpg.
References
See https://github.com/dgraph-io/dgraph/pull/8323 for more context on the vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/dgraph-io/dgraph"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "23.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-31135"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-17T17:07:40Z",
"nvd_published_at": "2023-05-17T18:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\nExisting Dgraph audit logs are vulnerable to brute force attacks due to nonce collisions. All audit logs generated by versions of Dgraph \u003cv23.0.0 are affected.\n\n### Patches\nThis issue was patched in https://github.com/dgraph-io/dgraph/pull/8323. Dgraph users should upgrade to v23.0.0.\n\n### Workarounds\nStore existing audit logs in a secure location. For extra security, encrypt using a tool like `gpg`.\n\n### References\nSee https://github.com/dgraph-io/dgraph/pull/8323 for more context on the vulnerability.",
"id": "GHSA-92wq-q9pq-gw47",
"modified": "2023-05-25T19:07:49Z",
"published": "2023-05-17T17:07:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-92wq-q9pq-gw47"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31135"
},
{
"type": "WEB",
"url": "https://github.com/dgraph-io/dgraph/pull/8323"
},
{
"type": "WEB",
"url": "https://en.wikipedia.org/wiki/Cryptographic_nonce"
},
{
"type": "PACKAGE",
"url": "https://github.com/dgraph-io/dgraph"
},
{
"type": "WEB",
"url": "https://github.com/dgraph-io/dgraph/releases/tag/v23.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Dgraph Audit Log Encryption Vulnerability"
}
GHSA-93F9-WG2H-R6P5
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2026-05-29 15:30A CWE-326: Inadequate Encryption Strength vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to break the encryption key when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller.
{
"affected": [],
"aliases": [
"CVE-2020-7565"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-19T22:15:00Z",
"severity": "HIGH"
},
"details": "A CWE-326: Inadequate Encryption Strength vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to break the encryption key when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller.",
"id": "GHSA-93f9-wg2h-r6p5",
"modified": "2026-05-29T15:30:23Z",
"published": "2022-05-24T17:34:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7565"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-04"
},
{
"type": "WEB",
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-315-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-946G-XG2P-C79M
Vulnerability from github – Published: 2022-05-17 00:24 – Updated: 2022-05-17 00:24IBM System Storage Storwize V7000 Unified (V7000U) 1.5 and 1.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 126868.
{
"affected": [],
"aliases": [
"CVE-2017-1375"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-24T21:29:00Z",
"severity": "HIGH"
},
"details": "IBM System Storage Storwize V7000 Unified (V7000U) 1.5 and 1.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 126868.",
"id": "GHSA-946g-xg2p-c79m",
"modified": "2022-05-17T00:24:37Z",
"published": "2022-05-17T00:24:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1375"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/126868"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ssg1S1010657"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101561"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-94G8-MRXQ-Q59C
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26Users' VPN authentication credentials are unsafely encrypted in Fortinet FortiClient for Windows 5.6.0 and below versions, FortiClient for Mac OSX 5.6.0 and below versions and FortiClient SSLVPN Client for Linux 4.4.2335 and below versions, due to the use of a static encryption key and weak encryption algorithms.
{
"affected": [],
"aliases": [
"CVE-2017-17543"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-26T20:29:00Z",
"severity": "HIGH"
},
"details": "Users\u0027 VPN authentication credentials are unsafely encrypted in Fortinet FortiClient for Windows 5.6.0 and below versions, FortiClient for Mac OSX 5.6.0 and below versions and FortiClient SSLVPN Client for Linux 4.4.2335 and below versions, due to the use of a static encryption key and weak encryption algorithms.",
"id": "GHSA-94g8-mrxq-q59c",
"modified": "2022-05-13T01:26:41Z",
"published": "2022-05-13T01:26:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17543"
},
{
"type": "WEB",
"url": "https://fortiguard.com/advisory/FG-IR-17-214"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9527-8CG9-FCP3
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45SSH server configuration file does not implement some best practices. This could lead to a weakening of the SSH protocol strength, which could lead to additional misconfiguration or be leveraged as part of a larger attack on the MU320E (all firmware versions prior to v04A00.1).
{
"affected": [],
"aliases": [
"CVE-2021-27450"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-25T20:15:00Z",
"severity": "HIGH"
},
"details": "SSH server configuration file does not implement some best practices. This could lead to a weakening of the SSH protocol strength, which could lead to additional misconfiguration or be leveraged as part of a larger attack on the MU320E (all firmware versions prior to v04A00.1).",
"id": "GHSA-9527-8cg9-fcp3",
"modified": "2022-05-24T17:45:26Z",
"published": "2022-05-24T17:45:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27450"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-082-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-96G6-83P3-M784
Vulnerability from github – Published: 2021-12-28 00:00 – Updated: 2023-06-30 18:31The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.
{
"affected": [],
"aliases": [
"CVE-2021-24998"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-27T11:15:00Z",
"severity": "HIGH"
},
"details": "The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that \"does not generate cryptographically secure values, and should not be used for cryptographic purposes\" according to PHP\u0027s documentation.",
"id": "GHSA-96g6-83p3-m784",
"modified": "2023-06-30T18:31:00Z",
"published": "2021-12-28T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24998"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2613782"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/1cca404e-766a-43ab-b41f-77d6a3b282fb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-97W9-8HVG-M5R2
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-09-03 00:00D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.
{
"affected": [],
"aliases": [
"CVE-2020-13785"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-03T17:15:00Z",
"severity": "HIGH"
},
"details": "D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.",
"id": "GHSA-97w9-8hvg-m5r2",
"modified": "2022-09-03T00:00:20Z",
"published": "2022-05-24T17:19:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13785"
},
{
"type": "WEB",
"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10174"
},
{
"type": "WEB",
"url": "https://unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-home-routers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-987X-96FQ-9384
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-15 17:38Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-gwq6-fmvp-qp68. This link is maintained to preserve external references.
Original Description
Inadequate encryption strength in .NET, .NET Framework, Visual Studio allows an authorized attacker to disclose information over a network.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.NetCore.App.Runtime.linux-arm"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-15T17:38:42Z",
"nvd_published_at": "2025-10-14T17:15:44Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-gwq6-fmvp-qp68. This link is maintained to preserve external references.\n\n### Original Description\nInadequate encryption strength in .NET, .NET Framework, Visual Studio allows an authorized attacker to disclose information over a network.",
"id": "GHSA-987x-96fq-9384",
"modified": "2025-10-15T17:38:42Z",
"published": "2025-10-14T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55248"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55248"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Microsoft Security Advisory CVE-2025-55248: .NET Information Disclosure Vulnerability",
"withdrawn": "2025-10-15T17:38:42Z"
}
GHSA-98VC-98Q7-57QF
Vulnerability from github – Published: 2022-05-17 02:45 – Updated: 2023-07-31 22:07Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "dolibarr/dolibarr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-7888"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-31T22:07:51Z",
"nvd_published_at": "2017-05-10T14:29:00Z",
"severity": "CRITICAL"
},
"details": "Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier.",
"id": "GHSA-98vc-98q7-57qf",
"modified": "2023-07-31T22:07:51Z",
"published": "2022-05-17T02:45:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7888"
},
{
"type": "WEB",
"url": "https://www.foxmole.com/advisories/foxmole-2017-02-23.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Dolibarr ERP and CRM Insecure Encryption"
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.