CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
631 vulnerabilities reference this CWE, most recent first.
GHSA-QGJV-RWC2-2RR2
Vulnerability from github – Published: 2022-05-14 02:11 – Updated: 2025-04-20 03:34xbcrypt in Percona XtraBackup before 2.3.6 and 2.4.x before 2.4.5 does not properly set the initialization vector (IV) for encryption, which makes it easier for context-dependent attackers to obtain sensitive information from encrypted backup files via a Chosen-Plaintext attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6394.
{
"affected": [],
"aliases": [
"CVE-2016-6225"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-23T16:59:00Z",
"severity": "MODERATE"
},
"details": "xbcrypt in Percona XtraBackup before 2.3.6 and 2.4.x before 2.4.5 does not properly set the initialization vector (IV) for encryption, which makes it easier for context-dependent attackers to obtain sensitive information from encrypted backup files via a Chosen-Plaintext attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6394.",
"id": "GHSA-qgjv-rwc2-2rr2",
"modified": "2025-04-20T03:34:38Z",
"published": "2022-05-14T02:11:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6225"
},
{
"type": "WEB",
"url": "https://github.com/percona/percona-xtrabackup/pull/266"
},
{
"type": "WEB",
"url": "https://github.com/percona/percona-xtrabackup/pull/267"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/percona-xtrabackup/+bug/1643949"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAHI6ETS22FJCMLW7A6SICFKQXF5G2VI"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBVCP6KLFVGG6HSGLHLTMZRD6C4IJSZP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BAHI6ETS22FJCMLW7A6SICFKQXF5G2VI"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBVCP6KLFVGG6HSGLHLTMZRD6C4IJSZP"
},
{
"type": "WEB",
"url": "https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2017-01/msg00125.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2017-01/msg00126.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QHC4-4FCQ-JV7Q
Vulnerability from github – Published: 2022-05-24 17:15 – Updated: 2022-05-24 17:15An issue was discovered on LG mobile devices with Android OS 9.0 (Qualcomm SDM450, SDM845, SM6150, and SM8150 chipsets) software. Weak encryption leads to local information disclosure. The LG ID is LVE-SMP-190010 (August 2019).
{
"affected": [],
"aliases": [
"CVE-2019-20775"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-17T14:15:00Z",
"severity": "LOW"
},
"details": "An issue was discovered on LG mobile devices with Android OS 9.0 (Qualcomm SDM450, SDM845, SM6150, and SM8150 chipsets) software. Weak encryption leads to local information disclosure. The LG ID is LVE-SMP-190010 (August 2019).",
"id": "GHSA-qhc4-4fcq-jv7q",
"modified": "2022-05-24T17:15:39Z",
"published": "2022-05-24T17:15:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20775"
},
{
"type": "WEB",
"url": "https://lgsecurity.lge.com"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QHCV-443V-WJGQ
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2024-04-04 03:03In versions 14.1.0-14.1.0.1 and 14.1.2.5-14.1.2.7, when a BIG-IP object is created or listed through the REST interface, the protected fields are obfuscated in the REST response, not protected via a SecureVault cryptogram as TMSH does. One example of protected fields is the GTM monitor password.
{
"affected": [],
"aliases": [
"CVE-2020-5943"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-327"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-05T20:15:00Z",
"severity": "MODERATE"
},
"details": "In versions 14.1.0-14.1.0.1 and 14.1.2.5-14.1.2.7, when a BIG-IP object is created or listed through the REST interface, the protected fields are obfuscated in the REST response, not protected via a SecureVault cryptogram as TMSH does. One example of protected fields is the GTM monitor password.",
"id": "GHSA-qhcv-443v-wjgq",
"modified": "2024-04-04T03:03:17Z",
"published": "2022-05-24T17:33:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5943"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K20059815"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QM7Q-VXJ7-9XG3
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-05-24 16:58A security feature bypass vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLMv2 protection if a client is also sending LMv2 responses, aka 'Windows NTLM Security Feature Bypass Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2019-1338"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-10T14:15:00Z",
"severity": "MODERATE"
},
"details": "A security feature bypass vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLMv2 protection if a client is also sending LMv2 responses, aka \u0027Windows NTLM Security Feature Bypass Vulnerability\u0027.",
"id": "GHSA-qm7q-vxj7-9xg3",
"modified": "2022-05-24T16:58:28Z",
"published": "2022-05-24T16:58:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1338"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1338"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QM8X-GP66-4VFH
Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08A vulnerability has been identified in DIGSI 4 (All versions < V4.92), EN100 Ethernet module DNP3 variant (All versions < V1.05.00), EN100 Ethernet module IEC 104 variant (All versions), EN100 Ethernet module IEC 61850 variant (All versions < V4.30), EN100 Ethernet module Modbus TCP variant (All versions), EN100 Ethernet module PROFINET IO variant (All versions), Other SIPROTEC 4 relays (All versions), Other SIPROTEC Compact relays (All versions), SIPROTEC 4 7SD80 (All versions < V4.70), SIPROTEC 4 7SJ61 (All versions < V4.96), SIPROTEC 4 7SJ62 (All versions < V4.96), SIPROTEC 4 7SJ64 (All versions < V4.96), SIPROTEC 4 7SJ66 (All versions < V4.30), SIPROTEC Compact 7SJ80 (All versions < V4.77), SIPROTEC Compact 7SK80 (All versions < V4.77). An attacker with local access to the engineering system or in a privileged network position and able to obtain certain network traffic could possibly reconstruct access authorization passwords.
{
"affected": [],
"aliases": [
"CVE-2018-4839"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-08T17:29:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in DIGSI 4 (All versions \u003c V4.92), EN100 Ethernet module DNP3 variant (All versions \u003c V1.05.00), EN100 Ethernet module IEC 104 variant (All versions), EN100 Ethernet module IEC 61850 variant (All versions \u003c V4.30), EN100 Ethernet module Modbus TCP variant (All versions), EN100 Ethernet module PROFINET IO variant (All versions), Other SIPROTEC 4 relays (All versions), Other SIPROTEC Compact relays (All versions), SIPROTEC 4 7SD80 (All versions \u003c V4.70), SIPROTEC 4 7SJ61 (All versions \u003c V4.96), SIPROTEC 4 7SJ62 (All versions \u003c V4.96), SIPROTEC 4 7SJ64 (All versions \u003c V4.96), SIPROTEC 4 7SJ66 (All versions \u003c V4.30), SIPROTEC Compact 7SJ80 (All versions \u003c V4.77), SIPROTEC Compact 7SK80 (All versions \u003c V4.77). An attacker with local access to the engineering system or in a privileged network position and able to obtain certain network traffic could possibly reconstruct access authorization passwords.",
"id": "GHSA-qm8x-gp66-4vfh",
"modified": "2022-05-13T01:08:51Z",
"published": "2022-05-13T01:08:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4839"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-203306.pdf"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-067-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QP32-955X-2XGQ
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-05-24 16:58The Infinite Design application 3.4.12 for Android sends a username and password via TCP without any encryption during login, as demonstrated by sniffing of a public Wi-Fi network.
{
"affected": [],
"aliases": [
"CVE-2019-17356"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-15T21:15:00Z",
"severity": "MODERATE"
},
"details": "The Infinite Design application 3.4.12 for Android sends a username and password via TCP without any encryption during login, as demonstrated by sniffing of a public Wi-Fi network.",
"id": "GHSA-qp32-955x-2xgq",
"modified": "2022-05-24T16:58:47Z",
"published": "2022-05-24T16:58:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17356"
},
{
"type": "WEB",
"url": "https://bit.ly/2kfL7xE"
},
{
"type": "WEB",
"url": "https://pastebin.com/yUFxs2J7"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QR94-6Q3V-PGVJ
Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2024-08-29 15:30Insufficiently random values for generating password reset token in FIWARE Keyrock <= 8.4 allow attackers to take over the account of any user by predicting the token for the password reset link.
{
"affected": [],
"aliases": [
"CVE-2024-42163"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-12T13:38:32Z",
"severity": "HIGH"
},
"details": "Insufficiently random values for generating password reset token in FIWARE Keyrock \u003c= 8.4 allow\u00a0attackers to take over the account of any user by predicting the token for the password reset link.",
"id": "GHSA-qr94-6q3v-pgvj",
"modified": "2024-08-29T15:30:31Z",
"published": "2024-08-12T15:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42163"
},
{
"type": "WEB",
"url": "https://www.ait.ac.at/themen/cyber-security/pentesting/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QRC4-RFHQ-CMFH
Vulnerability from github – Published: 2022-07-16 00:00 – Updated: 2022-07-23 00:00In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the logs.
{
"affected": [],
"aliases": [
"CVE-2022-34826"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-15T12:15:00Z",
"severity": "MODERATE"
},
"details": "In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the logs.",
"id": "GHSA-qrc4-rfhq-cmfh",
"modified": "2022-07-23T00:00:21Z",
"published": "2022-07-16T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34826"
},
{
"type": "WEB",
"url": "https://www.couchbase.com/alerts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QVF5-HVJX-WM27
Vulnerability from github – Published: 2024-11-18 12:30 – Updated: 2025-01-24 21:41Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users.
This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.92"
},
{
"fixed": "9.0.96"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-coyote"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.92"
},
{
"fixed": "9.0.96"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.27"
},
{
"fixed": "10.1.31"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M23"
},
{
"fixed": "11.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-coyote"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.27"
},
{
"fixed": "10.1.31"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-coyote"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M23"
},
{
"fixed": "11.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52317"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-18T21:03:05Z",
"nvd_published_at": "2024-11-18T12:15:18Z",
"severity": "MODERATE"
},
"details": "Incorrect object re-cycling and re-use vulnerability in Apache Tomcat.\u00a0Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users.\n\nThis issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.\n\nUsers are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.",
"id": "GHSA-qvf5-hvjx-wm27",
"modified": "2025-01-24T21:41:11Z",
"published": "2024-11-18T12:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52317"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/146f94f87ea398fb592c7a20a5ccbef95e9dd72b"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/47307ee27abcdea2ee40e33897aca760083de46a"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/9e840ccacb40881c03a03b1e0746bfba7369b3bd"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tomcat"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250124-0004"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/11/18/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Tomcat Request and/or response mix-up"
}
GHSA-QW4M-3R5P-H4WQ
Vulnerability from github – Published: 2025-08-06 21:31 – Updated: 2025-08-07 06:30jsrsasign v11.1.0 was discovered to contain weak encryption.
{
"affected": [],
"aliases": [
"CVE-2025-45764"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-327"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T20:15:28Z",
"severity": "HIGH"
},
"details": "jsrsasign v11.1.0 was discovered to contain weak encryption.",
"id": "GHSA-qw4m-3r5p-h4wq",
"modified": "2025-08-07T06:30:30Z",
"published": "2025-08-06T21:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45764"
},
{
"type": "WEB",
"url": "https://github.com/kjur/jsrsasign/issues/634"
},
{
"type": "WEB",
"url": "https://gist.github.com/ZupeiNie/2250cf1758771d56272dc326ce066202"
},
{
"type": "WEB",
"url": "https://github.com/kjur/jsrsasign"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.