CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
633 vulnerabilities reference this CWE, most recent first.
GHSA-58PP-MQMQ-89C9
Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-17 18:30Improper cryptographic implementation in Samsung Flow for PC 4.9.14.0 allows adjacent attackers to decrypt encrypted messages or inject commands.
{
"affected": [],
"aliases": [
"CVE-2023-21444"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-09T19:15:00Z",
"severity": "HIGH"
},
"details": "Improper cryptographic implementation in Samsung Flow for PC 4.9.14.0 allows adjacent attackers to decrypt encrypted messages or inject commands.",
"id": "GHSA-58pp-mqmq-89c9",
"modified": "2023-02-17T18:30:25Z",
"published": "2023-02-09T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21444"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-59H7-2C4X-36QM
Vulnerability from github – Published: 2021-12-27 00:01 – Updated: 2023-08-08 15:31Certain NETGEAR devices are affected by weak cryptography. This affects D7000v2 before 1.0.0.62, D8500 before 1.0.3.50, EX3700 before 1.0.0.84, EX3800 before 1.0.0.84, EX6120 before 1.0.0.54, EX6130 before 1.0.0.36, EX7000 before 1.0.1.90, R6250 before 1.0.4.42, R6400v2 before 1.0.4.98, R6700v3 before 1.0.4.98, R6900P before 1.3.2.124, R7000 before 1.0.11.106, R7000P before 1.3.2.124, R7100LG before 1.0.0.56, R7900 before 1.0.4.26, R8000 before 1.0.4.58, R8300 before 1.0.2.134, R8500 before 1.0.2.134, RS400 before 1.5.0.48, WNR3500Lv2 before 1.2.0.62, and XR300 before 1.0.3.50.
{
"affected": [],
"aliases": [
"CVE-2021-45512"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-26T01:15:00Z",
"severity": "CRITICAL"
},
"details": "Certain NETGEAR devices are affected by weak cryptography. This affects D7000v2 before 1.0.0.62, D8500 before 1.0.3.50, EX3700 before 1.0.0.84, EX3800 before 1.0.0.84, EX6120 before 1.0.0.54, EX6130 before 1.0.0.36, EX7000 before 1.0.1.90, R6250 before 1.0.4.42, R6400v2 before 1.0.4.98, R6700v3 before 1.0.4.98, R6900P before 1.3.2.124, R7000 before 1.0.11.106, R7000P before 1.3.2.124, R7100LG before 1.0.0.56, R7900 before 1.0.4.26, R8000 before 1.0.4.58, R8300 before 1.0.2.134, R8500 before 1.0.2.134, RS400 before 1.5.0.48, WNR3500Lv2 before 1.2.0.62, and XR300 before 1.0.3.50.",
"id": "GHSA-59h7-2c4x-36qm",
"modified": "2023-08-08T15:31:27Z",
"published": "2021-12-27T00:01:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45512"
},
{
"type": "WEB",
"url": "https://kb.netgear.com/000064117/Security-Advisory-for-Broken-Cryptography-on-Some-Routers-and-Extenders-PSV-2020-0134"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5CR2-3QP3-5H49
Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08Moxa MGate MB3180 before 1.8, MGate MB3280 before 2.7, MGate MB3480 before 2.6, MGate MB3170 before 2.5, and MGate MB3270 before 2.7 use weak encryption, which allows remote attackers to bypass authentication via a brute-force series of guesses for a parameter value.
{
"affected": [],
"aliases": [
"CVE-2016-5804"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-07-15T16:59:00Z",
"severity": "CRITICAL"
},
"details": "Moxa MGate MB3180 before 1.8, MGate MB3280 before 2.7, MGate MB3480 before 2.6, MGate MB3170 before 2.5, and MGate MB3270 before 2.7 use weak encryption, which allows remote attackers to bypass authentication via a brute-force series of guesses for a parameter value.",
"id": "GHSA-5cr2-3qp3-5h49",
"modified": "2022-05-13T01:08:36Z",
"published": "2022-05-13T01:08:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5804"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-196-02"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91777"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5CWM-9HM2-R3CF
Vulnerability from github – Published: 2022-11-29 21:30 – Updated: 2026-04-08 21:31The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to the user via a cookie.
{
"affected": [],
"aliases": [
"CVE-2022-4036"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-804",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-29T21:15:00Z",
"severity": "MODERATE"
},
"details": "The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to the user via a cookie.",
"id": "GHSA-5cwm-9hm2-r3cf",
"modified": "2026-04-08T21:31:45Z",
"published": "2022-11-29T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4036"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2803896%40appointment-hour-booking\u0026new=2803896%40appointment-hour-booking\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f62d28bd-fa33-4f0b-a116-5aacc05bfa3a?source=cve"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4036"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5F4G-M368-XV75
Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2024-09-19 12:31Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository gnuboard/gnuboard5 prior to and including 5.5.5. A vulnerability in gnuboard v5.5.5 and below uses weak encryption algorithms leading to sensitive information exposure. This allows an attacker to derive the email address of any user, including when the 'Let others see my information.' box is ticked off.
{
"affected": [],
"aliases": [
"CVE-2022-1252"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-327",
"CWE-359"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-11T11:15:00Z",
"severity": "HIGH"
},
"details": "Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository gnuboard/gnuboard5 prior to and including 5.5.5. A vulnerability in gnuboard v5.5.5 and below uses weak encryption algorithms leading to sensitive information exposure. This allows an attacker to derive the email address of any user, including when the \u0027Let others see my information.\u0027 box is ticked off.",
"id": "GHSA-5f4g-m368-xv75",
"modified": "2024-09-19T12:31:20Z",
"published": "2022-04-12T00:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1252"
},
{
"type": "WEB",
"url": "https://0g.vc/posts/insecure-cipher-gnuboard5"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/c8c2c3e1-67d0-4a11-a4d4-11af567a9ebb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5F8M-478G-QRV6
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 212792.
{
"affected": [],
"aliases": [
"CVE-2021-38983"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-15T16:15:00Z",
"severity": "HIGH"
},
"details": "IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 212792.",
"id": "GHSA-5f8m-478g-qrv6",
"modified": "2022-05-24T19:20:53Z",
"published": "2022-05-24T19:20:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38983"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/212792"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6516036"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5FHF-QX23-F7HX
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34An issue was discovered in Aviatrix Controller before R6.0.2483. Multiple executable files, that implement API endpoints, do not require a valid session ID for access.
{
"affected": [],
"aliases": [
"CVE-2020-26552"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-17T21:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Aviatrix Controller before R6.0.2483. Multiple executable files, that implement API endpoints, do not require a valid session ID for access.",
"id": "GHSA-5fhf-qx23-f7hx",
"modified": "2022-05-24T17:34:29Z",
"published": "2022-05-24T17:34:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26552"
},
{
"type": "WEB",
"url": "https://www.criticalstart.com/multiple-vulnerabilities-discovered-in-aviatrix"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5GQW-F2QG-W3VF
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2022-05-24 16:52In Enigmail below 2.1, an attacker in possession of PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, he unknowingly leaks the plaintext of the encrypted message part(s) back to the attacker. This attack variant bypasses protection mechanisms implemented after the "EFAIL" attacks.
{
"affected": [],
"aliases": [
"CVE-2019-14664"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-05T20:15:00Z",
"severity": "MODERATE"
},
"details": "In Enigmail below 2.1, an attacker in possession of PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, he unknowingly leaks the plaintext of the encrypted message part(s) back to the attacker. This attack variant bypasses protection mechanisms implemented after the \"EFAIL\" attacks.",
"id": "GHSA-5gqw-f2qg-w3vf",
"modified": "2022-05-24T16:52:35Z",
"published": "2022-05-24T16:52:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14664"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVNTEF3WSOOQYKMIPEH7F77UPXES5BU5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYWBJHSBBLAHKMRWDWH2XXQDYAGDHB5I"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHC5WDQ47FQSL5CTGQUYIHVC3RNZ7UH5"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/enigmail/bugs/984"
},
{
"type": "WEB",
"url": "https://www.enigmail.net/index.php/en/download/changelog"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5GVM-V5F4-X692
Vulnerability from github – Published: 2023-06-02 18:30 – Updated: 2024-04-04 04:29A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the file:// context. Given a reliable exploit primitive, this new process could be exploited again leading to arbitrary file read. This vulnerability affects Firefox < 109.
{
"affected": [],
"aliases": [
"CVE-2023-23597"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-02T17:15:10Z",
"severity": "MODERATE"
},
"details": "A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the \u003ccode\u003efile://\u003c/code\u003e context. Given a reliable exploit primitive, this new process could be exploited again leading to arbitrary file read. This vulnerability affects Firefox \u003c 109.",
"id": "GHSA-5gvm-v5f4-x692",
"modified": "2024-04-04T04:29:37Z",
"published": "2023-06-02T18:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23597"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1538028"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2023-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5J69-6HHJ-5X7F
Vulnerability from github – Published: 2022-05-05 00:29 – Updated: 2023-08-22 21:30Zabbix before 5.0 represents passwords in the users table with unsalted MD5.
{
"affected": [],
"aliases": [
"CVE-2013-7484"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-30T02:15:00Z",
"severity": "MODERATE"
},
"details": "Zabbix before 5.0 represents passwords in the users table with unsalted MD5.",
"id": "GHSA-5j69-6hhj-5x7f",
"modified": "2023-08-22T21:30:17Z",
"published": "2022-05-05T00:29:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7484"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html"
},
{
"type": "WEB",
"url": "https://support.zabbix.com/browse/ZBX-16551"
},
{
"type": "WEB",
"url": "https://support.zabbix.com/browse/ZBXNEXT-1898"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.