Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

633 vulnerabilities reference this CWE, most recent first.

GHSA-HQHM-W88M-83J6

Vulnerability from github – Published: 2022-05-14 03:20 – Updated: 2022-05-14 03:20
VLAI
Details

IBM Rational Focal Point 6.4.0, 6.4.1, 6.5.1, 6.5.2, and 6.6.0 use a weak algorithm to hash passwords, which makes it easier for context-dependent attackers to obtain cleartext values via a brute-force attack. IBM X-Force ID: 90704.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-0841"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-27T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Rational Focal Point 6.4.0, 6.4.1, 6.5.1, 6.5.2, and 6.6.0 use a weak algorithm to hash passwords, which makes it easier for context-dependent attackers to obtain cleartext values via a brute-force attack. IBM X-Force ID: 90704.",
  "id": "GHSA-hqhm-w88m-83j6",
  "modified": "2022-05-14T03:20:02Z",
  "published": "2022-05-14T03:20:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0841"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90704"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-weak-password-hash-vulnerability-in-rational-focalpoint-cve-2014-0841"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HQHQ-PXHF-F4JJ

Vulnerability from github – Published: 2022-05-17 02:50 – Updated: 2022-05-17 02:50
VLAI
Details

OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 uses only 8 hex digits for a PSK.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-10T03:59:00Z",
    "severity": "HIGH"
  },
  "details": "OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 uses only 8 hex digits for a PSK.",
  "id": "GHSA-hqhq-pxhf-f4jj",
  "modified": "2022-05-17T02:50:12Z",
  "published": "2022-05-17T02:50:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5056"
    },
    {
      "type": "WEB",
      "url": "https://community.rapid7.com/community/infosec/blog/2016/07/26/r7-2016-10-multiple-osram-sylvania-osram-lightify-vulnerabilities-cve-2016-5051-through-5059"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HV4Q-F4H2-QJ89

Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2022-02-18 00:00
VLAI
Details

A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-09T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)",
  "id": "GHSA-hv4q-f4h2-qj89",
  "modified": "2022-02-18T00:00:58Z",
  "published": "2022-02-11T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24318"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HV9M-498V-FP67

Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2025-05-22 21:30
VLAI
Details

Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-328"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-08T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.",
  "id": "GHSA-hv9m-498v-fp67",
  "modified": "2025-05-22T21:30:31Z",
  "published": "2022-05-24T22:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13539"
    },
    {
      "type": "WEB",
      "url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/valleylab-generator-rfid-vulnerabilities.html"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-19-311-02"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsma-19-311-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HVFG-6X3X-XRPQ

Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33
VLAI
Details

IBM InfoSphere Information Server 11.7 is affected by a weak password encryption vulnerability that could allow a local user to obtain highly sensitive information. IBM X-Force ID: 141682.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1518"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-18T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM InfoSphere Information Server 11.7 is affected by a weak password encryption vulnerability that could allow a local user to obtain highly sensitive information. IBM X-Force ID: 141682.",
  "id": "GHSA-hvfg-6x3x-xrpq",
  "modified": "2022-05-13T01:33:10Z",
  "published": "2022-05-13T01:33:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1518"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/141682"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=swg22017446"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HXGF-G28H-M63F

Vulnerability from github – Published: 2023-05-15 12:30 – Updated: 2024-04-04 04:05
VLAI
Details

Inadequate Encryption Strength in CODESYS Development System V3 versions prior to V3.5.18.40 allows an unauthenticated local attacker to access and manipulate code of the encrypted boot application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-15T10:15:10Z",
    "severity": "HIGH"
  },
  "details": "Inadequate Encryption Strength in CODESYS Development System V3 versions prior to V3.5.18.40 allows an unauthenticated local attacker to access and manipulate code of the encrypted boot application.",
  "id": "GHSA-hxgf-g28h-m63f",
  "modified": "2024-04-04T04:05:09Z",
  "published": "2023-05-15T12:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4048"
    },
    {
      "type": "WEB",
      "url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=17350\u0026token=2cee62285d3ec76d6a78dfa9b9e81e66f6136a2a\u0026download="
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J239-4GQG-5J54

Vulnerability from github – Published: 2021-06-03 19:22 – Updated: 2025-01-22 21:44
VLAI
Summary
Inadequate Encryption Strength
Details

Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.primefaces:primefaces"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0"
            },
            {
              "fixed": "6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-1000486"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-03T19:22:05Z",
    "nvd_published_at": "2018-01-03T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution",
  "id": "GHSA-j239-4gqg-5j54",
  "modified": "2025-01-22T21:44:51Z",
  "published": "2021-06-03T19:22:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000486"
    },
    {
      "type": "WEB",
      "url": "https://github.com/primefaces/primefaces/issues/1152"
    },
    {
      "type": "WEB",
      "url": "https://cryptosense.com/weak-encryption-flaw-in-primefaces"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/43733"
    },
    {
      "type": "WEB",
      "url": "http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inadequate Encryption Strength"
}

GHSA-J34J-9RR2-H43R

Vulnerability from github – Published: 2022-05-01 02:06 – Updated: 2024-02-14 18:30
VLAI
Details

WebEOC before 6.0.2 uses a weak encryption scheme for passwords, which makes it easier for attackers to crack passwords.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2005-2281"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2005-07-18T04:00:00Z",
    "severity": "MODERATE"
  },
  "details": "WebEOC before 6.0.2 uses a weak encryption scheme for passwords, which makes it easier for attackers to crack passwords.",
  "id": "GHSA-j34j-9rr2-h43r",
  "modified": "2024-02-14T18:30:23Z",
  "published": "2022-05-01T02:06:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-2281"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/491770"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/JGEI-6BWQDQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J3C8-2MG3-X49V

Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-05-24 17:17
VLAI
Details

On versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.4, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the default deployment mode for BIG-IP high availability (HA) pair mirroring is insecure. This is a control plane issue that is exposed only on the network used for mirroring.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5884"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-30T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "On versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.4, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the default deployment mode for BIG-IP high availability (HA) pair mirroring is insecure. This is a control plane issue that is exposed only on the network used for mirroring.",
  "id": "GHSA-j3c8-2mg3-x49v",
  "modified": "2022-05-24T17:17:01Z",
  "published": "2022-05-24T17:17:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5884"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K72540690"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J3G9-6FX5-GJV7

Vulnerability from github – Published: 2019-07-05 21:08 – Updated: 2025-10-22 17:43
VLAI
Summary
Inadequate Encryption Strength in DotNetNuke
Details

DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "DotNetNuke.Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-18325"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-07-05T20:59:02Z",
    "nvd_published_at": "2019-07-03T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.",
  "id": "GHSA-j3g9-6fx5-gjv7",
  "modified": "2025-10-22T17:43:44Z",
  "published": "2019-07-05T21:08:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18325"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dnnsoftware/Dnn.Platform"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dnnsoftware/Dnn.Platform/releases"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-18325"
    },
    {
      "type": "WEB",
      "url": "https://www.dnnsoftware.com/community/security/security-center"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inadequate Encryption Strength in DotNetNuke"
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.