Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

631 vulnerabilities reference this CWE, most recent first.

GHSA-CJQJ-G595-FH5J

Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2022-05-24 16:59
VLAI
Details

Adobe Acrobat and Reader versions 2019.012.20034 and earlier; 2019.012.20035 and earlier versions; 2017.011.30142 and earlier versions; 2017.011.30143 and earlier versions; 2015.006.30497 and earlier versions; 2015.006.30498 and earlier versions have an Insufficiently Robust Encryption vulnerability. Successful exploitation could lead to Security feature bypass in the context of the current user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8237"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-327"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-23T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe Acrobat and Reader versions 2019.012.20034 and earlier; 2019.012.20035 and earlier versions; 2017.011.30142 and earlier versions; 2017.011.30143 and earlier versions; 2015.006.30497 and earlier versions; 2015.006.30498 and earlier versions have an Insufficiently Robust Encryption vulnerability. Successful exploitation could lead to Security feature bypass in the context of the current user.",
  "id": "GHSA-cjqj-g595-fh5j",
  "modified": "2022-05-24T16:59:47Z",
  "published": "2022-05-24T16:59:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8237"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb19-41.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CJR2-G7QM-XQ33

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02
VLAI
Details

Password generator feature in Kaspersky Password Manager was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases. An attacker would need to know some additional information (for example, time of password generation).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-14T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "Password generator feature in Kaspersky Password Manager was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases. An attacker would need to know some additional information (for example, time of password generation).",
  "id": "GHSA-cjr2-g7qm-xq33",
  "modified": "2022-05-24T19:02:30Z",
  "published": "2022-05-24T19:02:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27020"
    },
    {
      "type": "WEB",
      "url": "https://support.kaspersky.com/general/vulnerability.aspx?el=12430#270421"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CPVM-F36G-55VG

Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-10-07 18:15
VLAI
Details

A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14855"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-20T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.",
  "id": "GHSA-cpvm-f36g-55vg",
  "modified": "2022-10-07T18:15:56Z",
  "published": "2022-05-24T17:12:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14855"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855"
    },
    {
      "type": "WEB",
      "url": "https://dev.gnupg.org/T4755"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html"
    },
    {
      "type": "WEB",
      "url": "https://rwc.iacr.org/2020/slides/Leurent.pdf"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4516-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQM6-HRGQ-6869

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-11-22 18:57
VLAI
Summary
Apache OpenMeetings has Inadequate Encryption Strength
Details

Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.openmeetings:openmeetings-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "3.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-7673"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-22T18:57:29Z",
    "nvd_published_at": "2017-07-17T13:18:00Z",
    "severity": "CRITICAL"
  },
  "details": "Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection.",
  "id": "GHSA-cqm6-hrgq-6869",
  "modified": "2022-11-22T18:57:29Z",
  "published": "2022-05-13T01:47:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7673"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/openmeetings"
    },
    {
      "type": "WEB",
      "url": "http://markmail.org/message/3hshl26omwjo6c5i"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99587"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache OpenMeetings has Inadequate Encryption Strength"
}

GHSA-CR6F-25F8-7583

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

Cryptanalysis vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows attackers to view confidential information via insecure use of RC4 encryption cyphers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-04T13:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Cryptanalysis vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows attackers to view confidential information via insecure use of RC4 encryption cyphers.",
  "id": "GHSA-cr6f-25f8-7583",
  "modified": "2022-05-13T01:36:40Z",
  "published": "2022-05-13T01:36:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3971"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10192"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CV7H-78V9-R3JF

Vulnerability from github – Published: 2026-01-13 03:32 – Updated: 2026-01-13 03:32
VLAI
Details

The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attacker with high-privileged access to exploit the vulnerability under specific conditions potentially leading to partial disclosure of sensitive information.This has low impact on confidentiality with no impact on integrity and availability of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0510"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-13T02:15:53Z",
    "severity": "LOW"
  },
  "details": "The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attacker with high-privileged access to exploit the vulnerability under specific conditions potentially leading to partial disclosure of sensitive information.This has low impact on confidentiality with no impact on integrity and availability of the application.",
  "id": "GHSA-cv7h-78v9-r3jf",
  "modified": "2026-01-13T03:32:09Z",
  "published": "2026-01-13T03:32:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0510"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3593356"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CV8V-H856-HHXW

Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2023-03-03 21:30
VLAI
Details

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158092.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-01T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158092.",
  "id": "GHSA-cv8v-h856-hhxw",
  "modified": "2023-03-03T21:30:18Z",
  "published": "2022-05-24T16:49:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4102"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158092"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10880743"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/109026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CVFX-WFGC-G5XW

Vulnerability from github – Published: 2024-06-13 12:30 – Updated: 2024-06-13 12:30
VLAI
Details

ColdFusion versions 2023u7, 2021u13 and earlier are affected by a Weak Cryptography for Passwords vulnerability that could result in a security feature bypass. This vulnerability arises due to the use of insufficiently strong cryptographic algorithms or flawed implementation that compromises the confidentiality of password data. An attacker could exploit this weakness to decrypt or guess passwords, potentially gaining unauthorized access to protected resources. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-13T12:15:11Z",
    "severity": "MODERATE"
  },
  "details": "ColdFusion versions 2023u7, 2021u13 and earlier are affected by a Weak Cryptography for Passwords vulnerability that could result in a security feature bypass. This vulnerability arises due to the use of insufficiently strong cryptographic algorithms or flawed implementation that compromises the confidentiality of password data. An attacker could exploit this weakness to decrypt or guess passwords, potentially gaining unauthorized access to protected resources. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-cvfx-wfgc-g5xw",
  "modified": "2024-06-13T12:30:34Z",
  "published": "2024-06-13T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34113"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/coldfusion/apsb24-41.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CVV7-5999-M892

Vulnerability from github – Published: 2025-03-27 15:31 – Updated: 2025-03-27 15:31
VLAI
Details

The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components.

As older versions of WPS Office did not validate the update server's certificate, an Adversary-In-The-Middle attack was possible allowing updates to be hijacked.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2516"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T15:16:01Z",
    "severity": "CRITICAL"
  },
  "details": "The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components.\n\nAs older versions of WPS Office did not validate the update server\u0027s certificate, an Adversary-In-The-Middle attack was possible allowing updates to be hijacked.",
  "id": "GHSA-cvv7-5999-m892",
  "modified": "2025-03-27T15:31:14Z",
  "published": "2025-03-27T15:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2516"
    },
    {
      "type": "WEB",
      "url": "https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-F4FH-MR9X-PQGF

Vulnerability from github – Published: 2025-12-11 00:30 – Updated: 2025-12-11 21:31
VLAI
Details

Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated cryptographic methods that can be exploited to forge valid signatures, and exposes information through improperly initialized memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-10T22:16:27Z",
    "severity": "HIGH"
  },
  "details": "Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated cryptographic methods that can be exploited to forge valid signatures, and exposes information through improperly initialized memory.",
  "id": "GHSA-f4fh-mr9x-pqgf",
  "modified": "2025-12-11T21:31:28Z",
  "published": "2025-12-11T00:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65295"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/OTA-Firmware-Insecurity.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.