CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
631 vulnerabilities reference this CWE, most recent first.
GHSA-RVQ2-HQR6-PGQQ
Vulnerability from github – Published: 2022-05-14 04:04 – Updated: 2025-04-20 03:49An issue was discovered in the software on Vaultek Gun Safe VT20i products. There is no encryption of the session between the Android application and the safe. The website and marketing materials advertise that this communication channel is encrypted with "Highest Level Bluetooth Encryption" and "Data transmissions are secure via AES256 bit encryption." These claims, however, are not true. Moreover, AES256 bit encryption is not supported in the Bluetooth Low Energy (BLE) standard, so it would have to be at the application level. This lack of encryption allows an individual to learn the passcode by eavesdropping on the communications between the application and the safe.
{
"affected": [],
"aliases": [
"CVE-2017-17436"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-07T00:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the software on Vaultek Gun Safe VT20i products. There is no encryption of the session between the Android application and the safe. The website and marketing materials advertise that this communication channel is encrypted with \"Highest Level Bluetooth Encryption\" and \"Data transmissions are secure via AES256 bit encryption.\" These claims, however, are not true. Moreover, AES256 bit encryption is not supported in the Bluetooth Low Energy (BLE) standard, so it would have to be at the application level. This lack of encryption allows an individual to learn the passcode by eavesdropping on the communications between the application and the safe.",
"id": "GHSA-rvq2-hqr6-pgqq",
"modified": "2025-04-20T03:49:32Z",
"published": "2022-05-14T04:04:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17436"
},
{
"type": "WEB",
"url": "https://vaulteksafe.com/index.php/cve-2017-17435"
},
{
"type": "WEB",
"url": "https://www.twosixlabs.com/bluesteal-popping-gatt-safes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RVXX-GX2M-H7RC
Vulnerability from github – Published: 2022-02-15 01:38 – Updated: 2022-02-15 01:38A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable.
{
"affected": [],
"aliases": [
"CVE-2019-14887"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-757"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-16T15:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found when an OpenSSL security provider is used with Wildfly, the \u0027enabled-protocols\u0027 value in the Wildfly configuration isn\u0027t honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable.",
"id": "GHSA-rvxx-gx2m-h7rc",
"modified": "2022-02-15T01:38:58Z",
"published": "2022-02-15T01:38:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14887"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/JBEAP-17965"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200327-0007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Inadequate Encryption Strength and Algorithm Downgrade in Wildfly"
}
GHSA-RX59-9P4R-R7RQ
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37The AES encryption project 7.x and 8.x for Drupal does not sufficiently prevent attackers from decrypting data, aka SA-CONTRIB-2017-027. NOTE: This project is not covered by Drupal's security advisory policy.
{
"affected": [],
"aliases": [
"CVE-2017-20001"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-01T01:15:00Z",
"severity": "HIGH"
},
"details": "The AES encryption project 7.x and 8.x for Drupal does not sufficiently prevent attackers from decrypting data, aka SA-CONTRIB-2017-027. NOTE: This project is not covered by Drupal\u0027s security advisory policy.",
"id": "GHSA-rx59-9p4r-r7rq",
"modified": "2022-05-24T17:37:32Z",
"published": "2022-05-24T17:37:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20001"
},
{
"type": "WEB",
"url": "https://www.drupal.org/node/2857028"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V2X4-9R4M-M784
Vulnerability from github – Published: 2025-12-02 12:30 – Updated: 2025-12-02 12:30Insufficient encryption strength in Sprecher Automation SPRECON-E-C, SPRECON-E-P, and SPRECON-E-T3 allows a local unprivileged attacker to extract data from update images and thus obtain limited information about the architecture and internal processes.
{
"affected": [],
"aliases": [
"CVE-2025-41743"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-02T11:15:51Z",
"severity": "MODERATE"
},
"details": "Insufficient encryption strength in Sprecher Automation SPRECON-E-C, SPRECON-E-P, and SPRECON-E-T3 allows a local unprivileged attacker to extract data from update images and thus obtain limited information about the architecture and internal processes.",
"id": "GHSA-v2x4-9r4m-m784",
"modified": "2025-12-02T12:30:28Z",
"published": "2025-12-02T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41743"
},
{
"type": "WEB",
"url": "https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V3RW-94VX-73W6
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.
{
"affected": [],
"aliases": [
"CVE-2020-7069"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-02T15:15:00Z",
"severity": "MODERATE"
},
"details": "In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.",
"id": "GHSA-v3rw-94vx-73w6",
"modified": "2022-05-24T17:30:04Z",
"published": "2022-05-24T17:30:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7069"
},
{
"type": "WEB",
"url": "https://bugs.php.net/bug.php?id=79601"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EVDN7D3IB4EAI4D3ZOM2OJKQ5SD7K4E"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P2J3ZZDHCSX65T5QWV4AHBN7MOJXBEKG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RRU57N3OSYZPOMFWPRDNVH7EMYOTSZ66"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202012-16"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20201016-0001"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4583-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4856"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2021-14"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00045.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00067.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V428-FCQJ-H6V2
Vulnerability from github – Published: 2023-11-09 15:30 – Updated: 2023-11-20 18:30The leakage of channel access token in platinum clinic Line 13.6.1 allows remote attackers to send malicious notifications to victims.
{
"affected": [],
"aliases": [
"CVE-2023-47367"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-09T14:15:08Z",
"severity": "MODERATE"
},
"details": "The leakage of channel access token in platinum clinic Line 13.6.1 allows remote attackers to send malicious notifications to victims.",
"id": "GHSA-v428-fcqj-h6v2",
"modified": "2023-11-20T18:30:45Z",
"published": "2023-11-09T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47367"
},
{
"type": "WEB",
"url": "https://github.com/syz913/CVE-reports/blob/main/platinum%20clinic.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V496-3MJ8-FPC6
Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.
{
"affected": [],
"aliases": [
"CVE-2014-1491"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-02-06T05:44:00Z",
"severity": "MODERATE"
},
"details": "Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.",
"id": "GHSA-v496-3mj8-fpc6",
"modified": "2022-05-13T01:24:47Z",
"published": "2022-05-13T01:24:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1491"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=934545"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90886"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201504-01"
},
{
"type": "WEB",
"url": "http://hg.mozilla.org/projects/nss/rev/12c42006aed8"
},
{
"type": "WEB",
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10761"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127966.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129218.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2014/Dec/23"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/56858"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/56888"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/56922"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2014/dsa-2858"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2014/dsa-2994"
},
{
"type": "WEB",
"url": "http://www.mozilla.org/security/announce/2014/mfsa2014-12.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/65332"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1029717"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1029720"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1029721"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2102-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2102-2"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2119-1"
},
{
"type": "WEB",
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V4H8-R639-2F33
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-05-24 17:17On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1, BIG-IP systems set up for connection mirroring in a high availability (HA) pair transfer sensitive cryptographic objects over an insecure communications channel. This is a control plane issue which is exposed only on the network used for connection mirroring.
{
"affected": [],
"aliases": [
"CVE-2020-5885"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-30T21:15:00Z",
"severity": "MODERATE"
},
"details": "On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1, BIG-IP systems set up for connection mirroring in a high availability (HA) pair transfer sensitive cryptographic objects over an insecure communications channel. This is a control plane issue which is exposed only on the network used for connection mirroring.",
"id": "GHSA-v4h8-r639-2f33",
"modified": "2022-05-24T17:17:01Z",
"published": "2022-05-24T17:17:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5885"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K17663061"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V4M6-PHWC-PMMJ
Vulnerability from github – Published: 2022-05-17 02:55 – Updated: 2022-05-17 02:55An issue was discovered in sysPass 2.x before 2.1, in which an algorithm was never sufficiently reviewed by cryptographers. The fact that inc/SP/Core/Crypt.class is using the MCRYPT_RIJNDAEL_256() function (the 256-bit block version of Rijndael, not AES) instead of MCRYPT_RIJNDAEL_128 (real AES) could help an attacker to create unknown havoc in the remote system.
{
"affected": [],
"aliases": [
"CVE-2017-5999"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-06T06:59:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in sysPass 2.x before 2.1, in which an algorithm was never sufficiently reviewed by cryptographers. The fact that inc/SP/Core/Crypt.class is using the MCRYPT_RIJNDAEL_256() function (the 256-bit block version of Rijndael, not AES) instead of MCRYPT_RIJNDAEL_128 (real AES) could help an attacker to create unknown havoc in the remote system.",
"id": "GHSA-v4m6-phwc-pmmj",
"modified": "2022-05-17T02:55:24Z",
"published": "2022-05-17T02:55:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5999"
},
{
"type": "WEB",
"url": "https://github.com/nuxsmin/sysPass/commit/a0e2c485e53b370a7cc6d833e192c3c5bfd70e1f"
},
{
"type": "WEB",
"url": "https://cxsecurity.com/issue/WLB-2017020196"
},
{
"type": "WEB",
"url": "https://github.com/nuxsmin/sysPass/releases/tag/2.1.0.17022601"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96562"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V596-2MXW-3XH7
Vulnerability from github – Published: 2024-04-19 06:30 – Updated: 2025-02-04 18:30When a Brocade SANnav installation is upgraded from Brocade SANnav v2.2.2 to Brocade SANnav 2.3.0, TLS/SSL weak message authentication code ciphers are added by default for port 18082.
{
"affected": [],
"aliases": [
"CVE-2024-29969"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-19T06:15:07Z",
"severity": "HIGH"
},
"details": "When a Brocade SANnav installation is upgraded from Brocade SANnav v2.2.2 to Brocade SANnav 2.3.0, TLS/SSL weak message authentication code ciphers are added by default for port 18082.",
"id": "GHSA-v596-2mxw-3xh7",
"modified": "2025-02-04T18:30:44Z",
"published": "2024-04-19T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29969"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/external/content/SecurityAdvisories/0/23251"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.