CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
631 vulnerabilities reference this CWE, most recent first.
GHSA-QWJQ-MWF2-6FJF
Vulnerability from github – Published: 2022-05-17 02:45 – Updated: 2022-05-17 02:45PGP/MIME encrypted messages injected into a Vaultive O365 (before 4.5.21) frontend via IMAP or SMTP have their Content-Type changed from 'Content-Type: multipart/encrypted; protocol="application/pgp-encrypted"; boundary="abc123abc123"' to 'Content-Type: text/plain' - this results in the encrypted message being structured in such a way that most PGP/MIME-capable mail user agents are unable to decrypt it cleanly. The outcome is that encrypted mail passing through this device does not work (Denial of Service), and a common real-world consequence is a request to resend the mail in the clear (Information Disclosure).
{
"affected": [],
"aliases": [
"CVE-2017-7229"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-03T20:59:00Z",
"severity": "CRITICAL"
},
"details": "PGP/MIME encrypted messages injected into a Vaultive O365 (before 4.5.21) frontend via IMAP or SMTP have their Content-Type changed from \u0027Content-Type: multipart/encrypted; protocol=\"application/pgp-encrypted\"; boundary=\"abc123abc123\"\u0027 to \u0027Content-Type: text/plain\u0027 - this results in the encrypted message being structured in such a way that most PGP/MIME-capable mail user agents are unable to decrypt it cleanly. The outcome is that encrypted mail passing through this device does not work (Denial of Service), and a common real-world consequence is a request to resend the mail in the clear (Information Disclosure).",
"id": "GHSA-qwjq-mwf2-6fjf",
"modified": "2022-05-17T02:45:38Z",
"published": "2022-05-17T02:45:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7229"
},
{
"type": "WEB",
"url": "https://gist.github.com/dkg/a1998c861bf2430e0d01d586905b11cb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QWR9-MWMG-R8C4
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2022-05-24 16:52An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is use of weak ciphers for SSH such as diffie-hellman-group1-sha1.
{
"affected": [],
"aliases": [
"CVE-2019-14332"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-01T13:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is use of weak ciphers for SSH such as diffie-hellman-group1-sha1.",
"id": "GHSA-qwr9-mwmg-r8c4",
"modified": "2022-05-24T16:52:03Z",
"published": "2022-05-24T16:52:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14332"
},
{
"type": "WEB",
"url": "https://us.dlink.com/en/security-advisory"
},
{
"type": "WEB",
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/153840/D-Link-6600-AP-XSS-DoS-Information-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QX3J-RJ87-66PJ
Vulnerability from github – Published: 2024-08-02 12:31 – Updated: 2024-08-02 12:31The encryption strength of the authorization keys in CHANGING Information Technology TCBServiSign Windows Version is insufficient. When a remote attacker tricks a victim into visiting a malicious website, TCBServiSign will treat that website as a legitimate server and interact with it.
{
"affected": [],
"aliases": [
"CVE-2024-40719"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-02T10:16:00Z",
"severity": "MODERATE"
},
"details": "The encryption strength of the authorization keys in CHANGING Information Technology TCBServiSign Windows Version is insufficient. When a remote attacker tricks a victim into visiting a malicious website, TCBServiSign will treat that website as a legitimate server and interact with it.",
"id": "GHSA-qx3j-rj87-66pj",
"modified": "2024-08-02T12:31:43Z",
"published": "2024-08-02T12:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40719"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-7970-e8ac5-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-7964-5b266-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R2XR-PXXQ-CXV4
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49Dell EMC Networking X-Series firmware versions prior to 3.0.1.8 and Dell EMC PowerEdge VRTX Switch Module firmware versions prior to 2.0.0.82 contain a Weak Password Encryption Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable system with privileges of the compromised account.
{
"affected": [],
"aliases": [
"CVE-2021-21507"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-30T21:15:00Z",
"severity": "CRITICAL"
},
"details": "Dell EMC Networking X-Series firmware versions prior to 3.0.1.8 and Dell EMC PowerEdge VRTX Switch Module firmware versions prior to 2.0.0.82 contain a Weak Password Encryption Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable system with privileges of the compromised account.",
"id": "GHSA-r2xr-pxxq-cxv4",
"modified": "2022-05-24T17:49:23Z",
"published": "2022-05-24T17:49:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21507"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000185252"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R35R-MRC6-XGFP
Vulnerability from github – Published: 2026-04-16 00:54 – Updated: 2026-05-06 15:32Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login. An adjacent attacker with the ability to intercept network traffic could potentially perform a brute-force or factorization attack against the 1024-bit RSA key to recover the plaintext administrator password, leading to unauthorized access and compromise of the device configuration. This issue affects Archer C7: through Build 20220715.
{
"affected": [],
"aliases": [
"CVE-2026-5363"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-16T00:16:29Z",
"severity": "MODERATE"
},
"details": "Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation.\u00a0The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login.\u00a0\nAn adjacent attacker with the ability to intercept network traffic could potentially perform a brute-force or factorization attack against the 1024-bit RSA key to recover the plaintext administrator password, leading to unauthorized access and compromise of the device configuration.\u00a0\u00a0This issue affects Archer C7: through Build 20220715.",
"id": "GHSA-r35r-mrc6-xgfp",
"modified": "2026-05-06T15:32:33Z",
"published": "2026-04-16T00:54:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5363"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/us/support/faq/3562"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R3CP-34P4-Q2X9
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06SICK Visionary-S CX up version 5.21.2.29154R are vulnerable to an Inadequate Encryption Strength vulnerability concerning the internal SSH interface solely used by SICK for recovering returned devices. The use of weak ciphers make it easier for an attacker to break the security that protects information transmitted from the client to the SSH server, assuming the attacker has access to the network on which the device is connected. This can increase the risk that encryption will be compromised, leading to the exposure of sensitive user information and man-in-the-middle attacks.
{
"affected": [],
"aliases": [
"CVE-2021-32496"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-28T12:15:00Z",
"severity": "MODERATE"
},
"details": "SICK Visionary-S CX up version 5.21.2.29154R are vulnerable to an Inadequate Encryption Strength vulnerability concerning the internal SSH interface solely used by SICK for recovering returned devices. The use of weak ciphers make it easier for an attacker to break the security that protects information transmitted from the client to the SSH server, assuming the attacker has access to the network on which the device is connected. This can increase the risk that encryption will be compromised, leading to the exposure of sensitive user information and man-in-the-middle attacks.",
"id": "GHSA-r3cp-34p4-q2x9",
"modified": "2022-05-24T19:06:27Z",
"published": "2022-05-24T19:06:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32496"
},
{
"type": "WEB",
"url": "https://www.sick.com/de/en/service-and-support/the-sick-product-security-incident-response-team-sick-psirt/w/psirt/#advisories"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R3RX-WWCP-FF6R
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07IBM Cloud Pak for Applications 4.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 195031.
{
"affected": [],
"aliases": [
"CVE-2021-20360"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-13T16:15:00Z",
"severity": "HIGH"
},
"details": "IBM Cloud Pak for Applications 4.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 195031.",
"id": "GHSA-r3rx-wwcp-ff6r",
"modified": "2022-05-24T19:07:34Z",
"published": "2022-05-24T19:07:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20360"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/195031"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6471271"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R48C-XM7Q-2F8V
Vulnerability from github – Published: 2023-04-19 21:30 – Updated: 2024-04-04 03:36Improper usage of symmetric encryption in UI Desktop for Windows (Version 0.59.1.71 and earlier) could allow users with access to UI Desktop configuration files to decrypt their content.This vulnerability is fixed in Version 0.62.3 and later.
{
"affected": [],
"aliases": [
"CVE-2023-28124"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-19T20:15:12Z",
"severity": "MODERATE"
},
"details": "Improper usage of symmetric encryption in UI Desktop for Windows (Version 0.59.1.71 and earlier) could allow users with access to UI Desktop configuration files to decrypt their content.This vulnerability is fixed in Version 0.62.3 and later.",
"id": "GHSA-r48c-xm7q-2f8v",
"modified": "2024-04-04T03:36:17Z",
"published": "2023-04-19T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28124"
},
{
"type": "WEB",
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-029-029/a47c68f2-1f3a-47c3-b577-eb70599644e4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R4GH-6RQ3-R7PF
Vulnerability from github – Published: 2023-11-09 15:30 – Updated: 2023-11-20 18:30The leakage of channel access token in best_training_member Line 13.6.1 allows remote attackers to send malicious notifications.
{
"affected": [],
"aliases": [
"CVE-2023-47369"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-09T14:15:08Z",
"severity": "MODERATE"
},
"details": "The leakage of channel access token in best_training_member Line 13.6.1 allows remote attackers to send malicious notifications.",
"id": "GHSA-r4gh-6rq3-r7pf",
"modified": "2023-11-20T18:30:45Z",
"published": "2023-11-09T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47369"
},
{
"type": "WEB",
"url": "https://github.com/syz913/CVE-reports/blob/main/best_training_member.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R597-7J2H-6248
Vulnerability from github – Published: 2024-10-15 12:30 – Updated: 2024-10-15 12:30An unauthenticated local attacker can decrypt the devices config file and therefore compromise the device due to a weak implementation of the encryption used.
{
"affected": [],
"aliases": [
"CVE-2024-45273"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-15T11:15:11Z",
"severity": "HIGH"
},
"details": "An unauthenticated local attacker can decrypt the devices config file and therefore compromise the device due to a weak implementation of the encryption used.",
"id": "GHSA-r597-7j2h-6248",
"modified": "2024-10-15T12:30:37Z",
"published": "2024-10-15T12:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45273"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2024-056"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2024-066"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2024-068"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2024-069"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.