Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

631 vulnerabilities reference this CWE, most recent first.

GHSA-XFM3-5PRM-P3XQ

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:24
VLAI
Details

IBM Rational Engineering Lifecycle Manager 6.0 through 6.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 143798.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1608"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-01T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Rational Engineering Lifecycle Manager 6.0 through 6.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 143798.",
  "id": "GHSA-xfm3-5prm-p3xq",
  "modified": "2024-04-04T00:24:37Z",
  "published": "2022-05-24T16:45:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1608"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/143798"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10882778"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108290"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XFXC-48QF-J4G6

Vulnerability from github – Published: 2023-12-05 00:31 – Updated: 2023-12-08 18:30
VLAI
Details

Weak encryption mechanisms in RFID Tags in Yale Conexis L1 v1.1.0 allows attackers to create a cloned tag via physical proximity to the original.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-05T00:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Weak encryption mechanisms in RFID Tags in Yale Conexis L1 v1.1.0 allows attackers to create a cloned tag via physical proximity to the original.",
  "id": "GHSA-xfxc-48qf-j4g6",
  "modified": "2023-12-08T18:30:41Z",
  "published": "2023-12-05T00:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26941"
    },
    {
      "type": "WEB",
      "url": "https://arxiv.org/abs/2312.00021"
    },
    {
      "type": "WEB",
      "url": "https://www.researchgate.net/publication/375759408_Technical_Report_-_CVE-2022-46480_CVE-2023-26941_CVE-2023-26942_and_CVE-2023-26943#fullTextFileContent"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XG5W-J24M-8379

Vulnerability from github – Published: 2023-01-06 00:30 – Updated: 2023-01-12 18:30
VLAI
Details

DES cipher, which has inadequate encryption strength, is used Hitachi Energy FOXMAN-UN to encrypt user credentials used to access the Network Elements. Successful exploitation allows sensitive information to be decrypted easily. This issue affects * FOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R16A::::::: * cpe:2.3:a:hitachienergy:foxman-un:R15B::::::: * cpe:2.3:a:hitachienergy:foxman-un:R15A::::::: * cpe:2.3:a:hitachienergy:foxman-un:R14B::::::: * cpe:2.3:a:hitachienergy:foxman-un:R14A::::::: * cpe:2.3:a:hitachienergy:foxman-un:R11B::::::: * cpe:2.3:a:hitachienergy:foxman-un:R11A::::::: * cpe:2.3:a:hitachienergy:foxman-un:R10C::::::: * cpe:2.3:a:hitachienergy:foxman-un:R9C::::::: * cpe:2.3:a:hitachienergy:unem:R16A::::::: * cpe:2.3:a:hitachienergy:unem:R15B::::::: * cpe:2.3:a:hitachienergy:unem:R15A::::::: * cpe:2.3:a:hitachienergy:unem:R14B::::::: * cpe:2.3:a:hitachienergy:unem:R14A::::::: * cpe:2.3:a:hitachienergy:unem:R11B::::::: * cpe:2.3:a:hitachienergy:unem:R11A::::::: * cpe:2.3:a:hitachienergy:unem:R10C::::::: * cpe:2.3:a:hitachienergy:unem:R9C:::::::

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40341"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-05T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "DES cipher, which has inadequate encryption strength, is used Hitachi Energy FOXMAN-UN to encrypt user credentials used to access the Network Elements. Successful exploitation allows sensitive information to be decrypted easily. This issue affects * FOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*",
  "id": "GHSA-xg5w-j24m-8379",
  "modified": "2023-01-12T18:30:29Z",
  "published": "2023-01-06T00:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40341"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000083\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000084\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XJ59-9QJV-FR54

Vulnerability from github – Published: 2022-05-01 02:31 – Updated: 2025-04-12 13:05
VLAI
Details

SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2005-4900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-10-14T16:59:00Z",
    "severity": "MODERATE"
  },
  "details": "SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2.  NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.",
  "id": "GHSA-xj59-9qjv-fr54",
  "modified": "2025-04-12T13:05:40Z",
  "published": "2022-05-01T02:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-4900"
    },
    {
      "type": "WEB",
      "url": "https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10340"
    },
    {
      "type": "WEB",
      "url": "https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html"
    },
    {
      "type": "WEB",
      "url": "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html"
    },
    {
      "type": "WEB",
      "url": "https://sites.google.com/site/itstheshappening"
    },
    {
      "type": "WEB",
      "url": "https://www.schneier.com/blog/archives/2005/02/sha1_broken.html"
    },
    {
      "type": "WEB",
      "url": "https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html"
    },
    {
      "type": "WEB",
      "url": "http://ia.cr/2007/474"
    },
    {
      "type": "WEB",
      "url": "http://shattered.io"
    },
    {
      "type": "WEB",
      "url": "http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/12577"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XM5H-PCCR-WQ9G

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

In SapphireIMS 4097_1, the password in the database is stored in Base64 format.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-16632"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-11T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "In SapphireIMS 4097_1, the password in the database is stored in Base64 format.",
  "id": "GHSA-xm5h-pccr-wq9g",
  "modified": "2022-05-24T19:10:39Z",
  "published": "2022-05-24T19:10:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16632"
    },
    {
      "type": "WEB",
      "url": "https://vuln.shellcoder.party/2020/07/18/cve-2017-16632-sapphireims-insecure-storage-of-password"
    },
    {
      "type": "WEB",
      "url": "https://vuln.shellcoder.party/tags/sapphireims"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XM9V-FG48-44V7

Vulnerability from github – Published: 2024-06-15 00:31 – Updated: 2024-07-03 18:45
VLAI
Details

HCL DRYiCE Optibot Reset Station is impacted by a missing Strict Transport Security Header.  This could allow an attacker to intercept or manipulate data during redirection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30119"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-14T22:15:10Z",
    "severity": "LOW"
  },
  "details": "HCL DRYiCE Optibot Reset Station\u00a0is impacted by a missing Strict Transport Security Header. \u00a0This could allow an attacker to intercept or manipulate data during redirection.",
  "id": "GHSA-xm9v-fg48-44v7",
  "modified": "2024-07-03T18:45:28Z",
  "published": "2024-06-15T00:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30119"
    },
    {
      "type": "WEB",
      "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0113496"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPPM-X368-2QJM

Vulnerability from github – Published: 2022-10-06 18:52 – Updated: 2022-10-07 18:15
VLAI
Details

In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-06T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.",
  "id": "GHSA-xppm-x368-2qjm",
  "modified": "2022-10-07T18:15:43Z",
  "published": "2022-10-06T18:52:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2781"
    },
    {
      "type": "WEB",
      "url": "https://advisories.octopus.com/post/2022/sa2022-16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XVW6-GW98-7W9W

Vulnerability from github – Published: 2023-11-09 15:30 – Updated: 2023-11-17 15:30
VLAI
Details

The leakage of channel access token in Lil.OFF-PRICE STORE Line 13.6.1 allows remote attackers to send malicious notifications to victims.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47365"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-09T14:15:08Z",
    "severity": "MODERATE"
  },
  "details": "The leakage of channel access token in Lil.OFF-PRICE STORE Line 13.6.1 allows remote attackers to send malicious notifications to victims.",
  "id": "GHSA-xvw6-gw98-7w9w",
  "modified": "2023-11-17T15:30:26Z",
  "published": "2023-11-09T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47365"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syz913/CVE-reports/blob/main/Lil.OFF-PRICE%20STORE.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XWPW-54M2-P853

Vulnerability from github – Published: 2021-12-26 00:00 – Updated: 2023-08-08 15:31
VLAI
Details

In NetBSD through 9.2, the IPv6 fragment ID generation algorithm employs a weak cryptographic PRNG.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45484"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-25T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "In NetBSD through 9.2, the IPv6 fragment ID generation algorithm employs a weak cryptographic PRNG.",
  "id": "GHSA-xwpw-54m2-p853",
  "modified": "2023-08-08T15:31:27Z",
  "published": "2021-12-26T00:00:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45484"
    },
    {
      "type": "WEB",
      "url": "https://arxiv.org/pdf/2112.09604.pdf"
    },
    {
      "type": "WEB",
      "url": "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2021-001.txt.asc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XX34-QQ6X-QVV2

Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2022-12-09 21:30
VLAI
Details

IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158880.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-17T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158880.",
  "id": "GHSA-xx34-qq6x-qvv2",
  "modified": "2022-12-09T21:30:52Z",
  "published": "2022-05-24T16:56:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4175"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158880"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/security-bulletin-security-vulnerabilties-exist-ibm-cognos-controller"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.