CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
631 vulnerabilities reference this CWE, most recent first.
GHSA-HV4Q-F4H2-QJ89
Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2022-02-18 00:00A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)
{
"affected": [],
"aliases": [
"CVE-2022-24318"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T23:15:00Z",
"severity": "HIGH"
},
"details": "A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)",
"id": "GHSA-hv4q-f4h2-qj89",
"modified": "2022-02-18T00:00:58Z",
"published": "2022-02-11T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24318"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-05"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HV9M-498V-FP67
Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2025-05-22 21:30Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.
{
"affected": [],
"aliases": [
"CVE-2019-13539"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-328"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-08T20:15:00Z",
"severity": "HIGH"
},
"details": "Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.",
"id": "GHSA-hv9m-498v-fp67",
"modified": "2025-05-22T21:30:31Z",
"published": "2022-05-24T22:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13539"
},
{
"type": "WEB",
"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/valleylab-generator-rfid-vulnerabilities.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-19-311-02"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HVFG-6X3X-XRPQ
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33IBM InfoSphere Information Server 11.7 is affected by a weak password encryption vulnerability that could allow a local user to obtain highly sensitive information. IBM X-Force ID: 141682.
{
"affected": [],
"aliases": [
"CVE-2018-1518"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-18T15:29:00Z",
"severity": "MODERATE"
},
"details": "IBM InfoSphere Information Server 11.7 is affected by a weak password encryption vulnerability that could allow a local user to obtain highly sensitive information. IBM X-Force ID: 141682.",
"id": "GHSA-hvfg-6x3x-xrpq",
"modified": "2022-05-13T01:33:10Z",
"published": "2022-05-13T01:33:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1518"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/141682"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=swg22017446"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HXGF-G28H-M63F
Vulnerability from github – Published: 2023-05-15 12:30 – Updated: 2024-04-04 04:05Inadequate Encryption Strength in CODESYS Development System V3 versions prior to V3.5.18.40 allows an unauthenticated local attacker to access and manipulate code of the encrypted boot application.
{
"affected": [],
"aliases": [
"CVE-2022-4048"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-15T10:15:10Z",
"severity": "HIGH"
},
"details": "Inadequate Encryption Strength in CODESYS Development System V3 versions prior to V3.5.18.40 allows an unauthenticated local attacker to access and manipulate code of the encrypted boot application.",
"id": "GHSA-hxgf-g28h-m63f",
"modified": "2024-04-04T04:05:09Z",
"published": "2023-05-15T12:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4048"
},
{
"type": "WEB",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=17350\u0026token=2cee62285d3ec76d6a78dfa9b9e81e66f6136a2a\u0026download="
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J239-4GQG-5J54
Vulnerability from github – Published: 2021-06-03 19:22 – Updated: 2025-01-22 21:44Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.primefaces:primefaces"
},
"ranges": [
{
"events": [
{
"introduced": "5.0"
},
{
"fixed": "6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-1000486"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-03T19:22:05Z",
"nvd_published_at": "2018-01-03T20:29:00Z",
"severity": "CRITICAL"
},
"details": "Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution",
"id": "GHSA-j239-4gqg-5j54",
"modified": "2025-01-22T21:44:51Z",
"published": "2021-06-03T19:22:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000486"
},
{
"type": "WEB",
"url": "https://github.com/primefaces/primefaces/issues/1152"
},
{
"type": "WEB",
"url": "https://cryptosense.com/weak-encryption-flaw-in-primefaces"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43733"
},
{
"type": "WEB",
"url": "http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Inadequate Encryption Strength"
}
GHSA-J34J-9RR2-H43R
Vulnerability from github – Published: 2022-05-01 02:06 – Updated: 2024-02-14 18:30WebEOC before 6.0.2 uses a weak encryption scheme for passwords, which makes it easier for attackers to crack passwords.
{
"affected": [],
"aliases": [
"CVE-2005-2281"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2005-07-18T04:00:00Z",
"severity": "MODERATE"
},
"details": "WebEOC before 6.0.2 uses a weak encryption scheme for passwords, which makes it easier for attackers to crack passwords.",
"id": "GHSA-j34j-9rr2-h43r",
"modified": "2024-02-14T18:30:23Z",
"published": "2022-05-01T02:06:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-2281"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/491770"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/JGEI-6BWQDQ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J3C8-2MG3-X49V
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-05-24 17:17On versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.4, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the default deployment mode for BIG-IP high availability (HA) pair mirroring is insecure. This is a control plane issue that is exposed only on the network used for mirroring.
{
"affected": [],
"aliases": [
"CVE-2020-5884"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-30T21:15:00Z",
"severity": "MODERATE"
},
"details": "On versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.4, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the default deployment mode for BIG-IP high availability (HA) pair mirroring is insecure. This is a control plane issue that is exposed only on the network used for mirroring.",
"id": "GHSA-j3c8-2mg3-x49v",
"modified": "2022-05-24T17:17:01Z",
"published": "2022-05-24T17:17:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5884"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K72540690"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J3G9-6FX5-GJV7
Vulnerability from github – Published: 2019-07-05 21:08 – Updated: 2025-10-22 17:43DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "DotNetNuke.Core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-18325"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2019-07-05T20:59:02Z",
"nvd_published_at": "2019-07-03T17:15:00Z",
"severity": "HIGH"
},
"details": "DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.",
"id": "GHSA-j3g9-6fx5-gjv7",
"modified": "2025-10-22T17:43:44Z",
"published": "2019-07-05T21:08:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18325"
},
{
"type": "PACKAGE",
"url": "https://github.com/dnnsoftware/Dnn.Platform"
},
{
"type": "WEB",
"url": "https://github.com/dnnsoftware/Dnn.Platform/releases"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-18325"
},
{
"type": "WEB",
"url": "https://www.dnnsoftware.com/community/security/security-center"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H",
"type": "CVSS_V3"
}
],
"summary": "Inadequate Encryption Strength in DotNetNuke"
}
GHSA-J4Q5-PX5W-X7C7
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 150018.
{
"affected": [],
"aliases": [
"CVE-2018-1814"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-13T16:29:00Z",
"severity": "HIGH"
},
"details": "IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 150018.",
"id": "GHSA-j4q5-px5w-x7c7",
"modified": "2022-05-13T01:32:36Z",
"published": "2022-05-13T01:32:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1814"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/150018"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10787785"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J4XV-J53X-9HMR
Vulnerability from github – Published: 2023-07-18 21:30 – Updated: 2024-04-04 06:14The BigFix WebUI uses weak cipher suites.
{
"affected": [],
"aliases": [
"CVE-2023-28021"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-18T19:15:09Z",
"severity": "HIGH"
},
"details": "The BigFix WebUI uses weak cipher suites.\n",
"id": "GHSA-j4xv-j53x-9hmr",
"modified": "2024-04-04T06:14:23Z",
"published": "2023-07-18T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28021"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0106123"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.