CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
631 vulnerabilities reference this CWE, most recent first.
GHSA-9P5P-2QC4-589G
Vulnerability from github – Published: 2022-05-17 02:52 – Updated: 2022-05-17 02:52Due to a lack of standard encryption when transmitting sensitive information over the internet to a centralized monitoring service, the Eview EV-07S GPS Tracker discloses personally identifying information, such as GPS data and IMEI numbers, to any man-in-the-middle (MitM) listener.
{
"affected": [],
"aliases": [
"CVE-2017-5239"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-27T21:59:00Z",
"severity": "HIGH"
},
"details": "Due to a lack of standard encryption when transmitting sensitive information over the internet to a centralized monitoring service, the Eview EV-07S GPS Tracker discloses personally identifying information, such as GPS data and IMEI numbers, to any man-in-the-middle (MitM) listener.",
"id": "GHSA-9p5p-2qc4-589g",
"modified": "2022-05-17T02:52:28Z",
"published": "2022-05-17T02:52:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5239"
},
{
"type": "WEB",
"url": "https://community.rapid7.com/community/infosec/blog/2017/03/27/r7-2015-28-multiple-eview-ev-07s-gps-tracker-vulnerabilities"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97194"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9PM7-VPRJ-C6WM
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2025-11-04 21:30NCR SelfServ ATMs running APTRA XFS 04.02.01 and 05.01.00 implement 512-bit RSA certificates to validate bunch note acceptor (BNA) software updates, which can be broken by an attacker with physical access in a sufficiently short period of time, thereby enabling the attacker to sign arbitrary files and CAB archives used to update BNA software, as well as bypass application whitelisting, resulting in the ability to execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2020-10125"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-21T21:15:00Z",
"severity": "MODERATE"
},
"details": "NCR SelfServ ATMs running APTRA XFS 04.02.01 and 05.01.00 implement 512-bit RSA certificates to validate bunch note acceptor (BNA) software updates, which can be broken by an attacker with physical access in a sufficiently short period of time, thereby enabling the attacker to sign arbitrary files and CAB archives used to update BNA software, as well as bypass application whitelisting, resulting in the ability to execute arbitrary code.",
"id": "GHSA-9pm7-vprj-c6wm",
"modified": "2025-11-04T21:30:24Z",
"published": "2022-05-24T17:26:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10125"
},
{
"type": "WEB",
"url": "https://kb.cert.org/vuls/id/815655"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/815655"
},
{
"type": "WEB",
"url": "https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9RVC-XV25-JJH5
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2023-08-08 15:31In JetBrains Hub before 2021.1.13262, a potentially insufficient CSP for the Widget deployment feature was used.
{
"affected": [],
"aliases": [
"CVE-2021-37540"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-06T14:15:00Z",
"severity": "MODERATE"
},
"details": "In JetBrains Hub before 2021.1.13262, a potentially insufficient CSP for the Widget deployment feature was used.",
"id": "GHSA-9rvc-xv25-jjh5",
"modified": "2023-08-08T15:31:19Z",
"published": "2022-05-24T19:10:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37540"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9V96-J7X8-6WJV
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2025-10-22 00:31Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2017-11317"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-23T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.",
"id": "GHSA-9v96-j7x8-6wjv",
"modified": "2025-10-22T00:31:24Z",
"published": "2022-05-13T01:14:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11317"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0006"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-11317"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43874"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html"
},
{
"type": "WEB",
"url": "http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/unrestricted-file-upload"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9W5C-29MX-552C
Vulnerability from github – Published: 2024-04-03 03:30 – Updated: 2024-09-06 21:32An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.
{
"affected": [],
"aliases": [
"CVE-2024-28755"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-03T03:15:10Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.",
"id": "GHSA-9w5c-29mx-552c",
"modified": "2024-09-06T21:32:26Z",
"published": "2024-04-03T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28755"
},
{
"type": "WEB",
"url": "https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0"
},
{
"type": "WEB",
"url": "https://github.com/hey3e"
},
{
"type": "WEB",
"url": "https://hey3e.github.io"
},
{
"type": "WEB",
"url": "https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9W5V-RMGQ-P82G
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-05-24 17:24This vulnerability allows remote attackers to disclose sensitive information on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. When transmitting passwords, the process encrypts them in a recoverable format using a hard-coded key. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-10185.
{
"affected": [],
"aliases": [
"CVE-2020-10919"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-326",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-23T16:15:00Z",
"severity": "MODERATE"
},
"details": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. When transmitting passwords, the process encrypts them in a recoverable format using a hard-coded key. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-10185.",
"id": "GHSA-9w5v-rmgq-p82g",
"modified": "2022-05-24T17:24:12Z",
"published": "2022-05-24T17:24:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10919"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-806"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C25X-Q5GV-WWM3
Vulnerability from github – Published: 2022-12-08 18:30 – Updated: 2022-12-12 18:30In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects.
{
"affected": [],
"aliases": [
"CVE-2022-46825"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-08T18:15:00Z",
"severity": "LOW"
},
"details": "In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects.",
"id": "GHSA-c25x-q5gv-wwm3",
"modified": "2022-12-12T18:30:29Z",
"published": "2022-12-08T18:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46825"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C32J-VQHX-RX3X
Vulnerability from github – Published: 2026-05-18 17:24 – Updated: 2026-06-02 22:12JWT.decode(token, '', true, algorithm: 'HS256') accepts an attacker-forged token.
OpenSSL::HMAC.digest('SHA256', '', payload) returns a valid digest under an empty key, and no raise
InvalidKeyError if key.empty? precondition exists in the HMAC algorithm.
JWT.decode(token, "", true, algorithm: 'HS256')
-> JWA::Hmac.verify(verification_key: "", ...)
-> OpenSSL::HMAC.digest('SHA256', "", signing_input) == signature
The same path is reached when a keyfinder block or key_finder: argument returns "", nil, or an array containing nil for an unknown key. JWT::Decode#find_key only rejects literal nil and empty arrays, and JWT::JWA::Hmac silently coerces nil to "" (signing_key ||= '') before signing.
JWT.decode(token, nil, true, algorithms: ['HS256']) { |_h| "" }
-> find_key returns "" # "" && !Array("").empty? == true
-> JWA::Hmac.verify(verification_key: "", ...)
-> verifies
Common application patterns that produce the unsafe value: redis.get("kid:#{kid}").to_s, ORM string columns with default: '', ENV['SECRET'] || '', Hash.new('') lookups, [primary, fallback] where fallback may be nil. Applications passing a non-empty static key:, or whose keyfinder returns nil / raises on miss, are not affected.
The existing enforce_hmac_key_length option would block this but defaults to false. On OpenSSL ≥ 3.5 the empty-key HMAC.digest call no longer raises, so the OpenSSL-3.0 rescue in JWA::Hmac#sign does not fire.
Affects HS256/HS384/HS512 via both JWT.decode (positional key and block keyfinder) and
JWT::EncodedToken#verify_signature!(key_finder:)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "jwt"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "jwt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45363"
],
"database_specific": {
"cwe_ids": [
"CWE-1391",
"CWE-287",
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T17:24:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "`JWT.decode(token, \u0027\u0027, true, algorithm: \u0027HS256\u0027)` accepts an attacker-forged token.\n`OpenSSL::HMAC.digest(\u0027SHA256\u0027, \u0027\u0027, payload)` returns a valid digest under an empty key, and no `raise\n InvalidKeyError if key.empty?` precondition exists in the HMAC algorithm.\n\n```\nJWT.decode(token, \"\", true, algorithm: \u0027HS256\u0027)\n -\u003e JWA::Hmac.verify(verification_key: \"\", ...)\n -\u003e OpenSSL::HMAC.digest(\u0027SHA256\u0027, \"\", signing_input) == signature\n```\n\nThe same path is reached when a keyfinder block or key_finder: argument returns \"\", nil, or an\narray containing nil for an unknown key. JWT::Decode#find_key only rejects literal nil and empty\narrays, and JWT::JWA::Hmac silently coerces nil to \"\" (signing_key ||= \u0027\u0027) before signing.\n\n```\nJWT.decode(token, nil, true, algorithms: [\u0027HS256\u0027]) { |_h| \"\" }\n -\u003e find_key returns \"\" # \"\" \u0026\u0026 !Array(\"\").empty? == true\n -\u003e JWA::Hmac.verify(verification_key: \"\", ...)\n -\u003e verifies\n```\nCommon application patterns that produce the unsafe value: `redis.get(\"kid:#{kid}\").to_s`, ORM string columns with `default: \u0027\u0027`, `ENV[\u0027SECRET\u0027] || \u0027\u0027, Hash.new(\u0027\u0027)` lookups, [primary, fallback] where fallback may be nil. Applications passing a non-empty static key:, or whose keyfinder returns nil / raises on miss, are not affected.\n\nThe existing `enforce_hmac_key_length` option would block this but defaults to false. On OpenSSL \u2265 3.5 the empty-key HMAC.digest call no longer raises, so the OpenSSL-3.0 rescue in JWA::Hmac#sign does not fire.\n\nAffects HS256/HS384/HS512 via both JWT.decode (positional key and block keyfinder) and\n`JWT::EncodedToken#verify_signature!(key_finder:)`",
"id": "GHSA-c32j-vqhx-rx3x",
"modified": "2026-06-02T22:12:50Z",
"published": "2026-05-18T17:24:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jwt/ruby-jwt/security/advisories/GHSA-c32j-vqhx-rx3x"
},
{
"type": "WEB",
"url": "https://github.com/jwt/ruby-jwt/issues/724"
},
{
"type": "WEB",
"url": "https://github.com/jwt/ruby-jwt/commit/db560b769a07bd9724e77ff505011ac01872106f"
},
{
"type": "PACKAGE",
"url": "https://github.com/jwt/ruby-jwt"
},
{
"type": "WEB",
"url": "https://github.com/jwt/ruby-jwt/releases/tag/v2.10.3"
},
{
"type": "WEB",
"url": "https://github.com/jwt/ruby-jwt/releases/tag/v3.2.0"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jwt/CVE-2026-45363.yml"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45363"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351"
}
GHSA-C3XQ-CJ8F-7829
Vulnerability from github – Published: 2021-10-12 16:31 – Updated: 2024-10-25 21:26python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.2.5"
},
"package": {
"ecosystem": "PyPI",
"name": "python-keystoneclient"
},
"ranges": [
{
"events": [
{
"introduced": "0.2.3"
},
{
"fixed": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-2166"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-08T23:03:40Z",
"nvd_published_at": "2019-12-10T15:15:00Z",
"severity": "CRITICAL"
},
"details": "python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass.",
"id": "GHSA-c3xq-cj8f-7829",
"modified": "2024-10-25T21:26:23Z",
"published": "2021-10-12T16:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2166"
},
{
"type": "WEB",
"url": "https://github.com/openstack/python-keystoneclient/commit/eeefb784f24c37d5f56a421e1ccc911cace9385e"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2013-2166"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2166"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-2166"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-c3xq-cj8f-7829"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/python-keystoneclient"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/python-keystoneclient/PYSEC-2019-197.yaml"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2013-2166"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-August/113944.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0992.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/06/19/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Inadequate Encryption Strength in python-keystoneclient"
}
GHSA-C4FR-GX5W-8QF2
Vulnerability from github – Published: 2022-05-17 04:44 – Updated: 2025-03-13 19:18The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:subversion"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.54"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-6372"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-13T19:18:24Z",
"nvd_published_at": "2014-05-08T14:29:00Z",
"severity": "MODERATE"
},
"details": "The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file.",
"id": "GHSA-c4fr-gx5w-8qf2",
"modified": "2025-03-13T19:18:24Z",
"published": "2022-05-17T04:44:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6372"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/subversion-plugin/commit/7d4562d6f7e40de04bbe29577b51c79f07d05ba6"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2014:1630"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2013-6372"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1032391"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/subversion-plugin"
},
{
"type": "WEB",
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Jenkins Subversion Plugin Stores Credentials with Base64 Encoding"
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.