Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

631 vulnerabilities reference this CWE, most recent first.

GHSA-92WP-JGHR-HH87

Vulnerability from github – Published: 2024-06-07 00:30 – Updated: 2024-06-07 19:36
VLAI
Summary
Weak encryption in Ninja Core
Details

The encrypt() function of Ninja Core v7.0.0 was discovered to use a weak cryptographic algorithm, leading to a possible leakage of sensitive information.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.ninjaframework:ninja-core"
      },
      "versions": [
        "7.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-36823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T19:36:27Z",
    "nvd_published_at": "2024-06-06T22:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The encrypt() function of Ninja Core v7.0.0 was discovered to use a weak cryptographic algorithm, leading to a possible leakage of sensitive information.",
  "id": "GHSA-92wp-jghr-hh87",
  "modified": "2024-06-07T19:36:27Z",
  "published": "2024-06-07T00:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36823"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ninjaframework/ninja/issues/759"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ninjaframework/ninja"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Weak encryption in Ninja Core"
}

GHSA-92WQ-Q9PQ-GW47

Vulnerability from github – Published: 2023-05-17 17:07 – Updated: 2023-05-25 19:07
VLAI
Summary
Dgraph Audit Log Encryption Vulnerability
Details

Impact

Existing Dgraph audit logs are vulnerable to brute force attacks due to nonce collisions. All audit logs generated by versions of Dgraph <v23.0.0 are affected.

Patches

This issue was patched in https://github.com/dgraph-io/dgraph/pull/8323. Dgraph users should upgrade to v23.0.0.

Workarounds

Store existing audit logs in a secure location. For extra security, encrypt using a tool like gpg.

References

See https://github.com/dgraph-io/dgraph/pull/8323 for more context on the vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dgraph-io/dgraph"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "23.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-31135"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-17T17:07:40Z",
    "nvd_published_at": "2023-05-17T18:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nExisting Dgraph audit logs are vulnerable to brute force attacks due to nonce collisions.  All audit logs generated by versions of Dgraph \u003cv23.0.0 are affected.\n\n### Patches\nThis issue was patched in https://github.com/dgraph-io/dgraph/pull/8323.  Dgraph users should upgrade to v23.0.0.\n\n### Workarounds\nStore existing audit logs in a secure location.  For extra security, encrypt using a tool like `gpg`.\n\n### References\nSee https://github.com/dgraph-io/dgraph/pull/8323 for more context on the vulnerability.",
  "id": "GHSA-92wq-q9pq-gw47",
  "modified": "2023-05-25T19:07:49Z",
  "published": "2023-05-17T17:07:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-92wq-q9pq-gw47"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31135"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dgraph-io/dgraph/pull/8323"
    },
    {
      "type": "WEB",
      "url": "https://en.wikipedia.org/wiki/Cryptographic_nonce"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dgraph-io/dgraph"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dgraph-io/dgraph/releases/tag/v23.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dgraph Audit Log Encryption Vulnerability"
}

GHSA-93F9-WG2H-R6P5

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2026-05-29 15:30
VLAI
Details

A CWE-326: Inadequate Encryption Strength vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to break the encryption key when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7565"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-19T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "A CWE-326: Inadequate Encryption Strength vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to break the encryption key when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller.",
  "id": "GHSA-93f9-wg2h-r6p5",
  "modified": "2026-05-29T15:30:23Z",
  "published": "2022-05-24T17:34:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7565"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-04"
    },
    {
      "type": "WEB",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-315-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-946G-XG2P-C79M

Vulnerability from github – Published: 2022-05-17 00:24 – Updated: 2022-05-17 00:24
VLAI
Details

IBM System Storage Storwize V7000 Unified (V7000U) 1.5 and 1.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 126868.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1375"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-24T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM System Storage Storwize V7000 Unified (V7000U) 1.5 and 1.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 126868.",
  "id": "GHSA-946g-xg2p-c79m",
  "modified": "2022-05-17T00:24:37Z",
  "published": "2022-05-17T00:24:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1375"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/126868"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ssg1S1010657"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101561"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-94G8-MRXQ-Q59C

Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26
VLAI
Details

Users' VPN authentication credentials are unsafely encrypted in Fortinet FortiClient for Windows 5.6.0 and below versions, FortiClient for Mac OSX 5.6.0 and below versions and FortiClient SSLVPN Client for Linux 4.4.2335 and below versions, due to the use of a static encryption key and weak encryption algorithms.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-17543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-26T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "Users\u0027 VPN authentication credentials are unsafely encrypted in Fortinet FortiClient for Windows 5.6.0 and below versions, FortiClient for Mac OSX 5.6.0 and below versions and FortiClient SSLVPN Client for Linux 4.4.2335 and below versions, due to the use of a static encryption key and weak encryption algorithms.",
  "id": "GHSA-94g8-mrxq-q59c",
  "modified": "2022-05-13T01:26:41Z",
  "published": "2022-05-13T01:26:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17543"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-17-214"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9527-8CG9-FCP3

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45
VLAI
Details

SSH server configuration file does not implement some best practices. This could lead to a weakening of the SSH protocol strength, which could lead to additional misconfiguration or be leveraged as part of a larger attack on the MU320E (all firmware versions prior to v04A00.1).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-25T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "SSH server configuration file does not implement some best practices. This could lead to a weakening of the SSH protocol strength, which could lead to additional misconfiguration or be leveraged as part of a larger attack on the MU320E (all firmware versions prior to v04A00.1).",
  "id": "GHSA-9527-8cg9-fcp3",
  "modified": "2022-05-24T17:45:26Z",
  "published": "2022-05-24T17:45:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27450"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-082-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-96G6-83P3-M784

Vulnerability from github – Published: 2021-12-28 00:00 – Updated: 2023-06-30 18:31
VLAI
Details

The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-27T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that \"does not generate cryptographically secure values, and should not be used for cryptographic purposes\" according to PHP\u0027s documentation.",
  "id": "GHSA-96g6-83p3-m784",
  "modified": "2023-06-30T18:31:00Z",
  "published": "2021-12-28T00:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24998"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/2613782"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/1cca404e-766a-43ab-b41f-77d6a3b282fb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97W9-8HVG-M5R2

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-09-03 00:00
VLAI
Details

D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13785"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-03T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.",
  "id": "GHSA-97w9-8hvg-m5r2",
  "modified": "2022-09-03T00:00:20Z",
  "published": "2022-05-24T17:19:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13785"
    },
    {
      "type": "WEB",
      "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10174"
    },
    {
      "type": "WEB",
      "url": "https://unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-home-routers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-987X-96FQ-9384

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-15 17:38
VLAI
Summary
Duplicate Advisory: Microsoft Security Advisory CVE-2025-55248: .NET Information Disclosure Vulnerability
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-gwq6-fmvp-qp68. This link is maintained to preserve external references.

Original Description

Inadequate encryption strength in .NET, .NET Framework, Visual Studio allows an authorized attacker to disclose information over a network.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.linux-arm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-15T17:38:42Z",
    "nvd_published_at": "2025-10-14T17:15:44Z",
    "severity": "MODERATE"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-gwq6-fmvp-qp68. This link is maintained to preserve external references.\n\n### Original Description\nInadequate encryption strength in .NET, .NET Framework, Visual Studio allows an authorized attacker to disclose information over a network.",
  "id": "GHSA-987x-96fq-9384",
  "modified": "2025-10-15T17:38:42Z",
  "published": "2025-10-14T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55248"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55248"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: Microsoft Security Advisory CVE-2025-55248: .NET Information Disclosure Vulnerability",
  "withdrawn": "2025-10-15T17:38:42Z"
}

GHSA-98VC-98Q7-57QF

Vulnerability from github – Published: 2022-05-17 02:45 – Updated: 2023-07-31 22:07
VLAI
Summary
Dolibarr ERP and CRM Insecure Encryption
Details

Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "dolibarr/dolibarr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-7888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-31T22:07:51Z",
    "nvd_published_at": "2017-05-10T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier.",
  "id": "GHSA-98vc-98q7-57qf",
  "modified": "2023-07-31T22:07:51Z",
  "published": "2022-05-17T02:45:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7888"
    },
    {
      "type": "WEB",
      "url": "https://www.foxmole.com/advisories/foxmole-2017-02-23.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dolibarr ERP and CRM Insecure Encryption"
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.