CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
633 vulnerabilities reference this CWE, most recent first.
GHSA-MJ68-CHX7-GHQ2
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:16IBM API Connect 2018.1 and 2018.4.1.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 155078.
{
"affected": [],
"aliases": [
"CVE-2018-2007"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-29T17:29:00Z",
"severity": "HIGH"
},
"details": "IBM API Connect 2018.1 and 2018.4.1.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 155078.",
"id": "GHSA-mj68-chx7-ghq2",
"modified": "2024-04-04T00:16:47Z",
"published": "2022-05-24T16:44:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2007"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/155078"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10874952"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MJG4-5RFJ-952F
Vulnerability from github – Published: 2022-04-22 00:24 – Updated: 2024-04-03 23:05The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation. A remote attacker could use this flaw to bypass or corrupt integrity of services, depending on strong private RSA keys generation mechanism.
{
"affected": [],
"aliases": [
"CVE-2011-4121"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-26T05:15:00Z",
"severity": "CRITICAL"
},
"details": "The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of \u00271\u0027 to be used for private RSA key generation. A remote attacker could use this flaw to bypass or corrupt integrity of services, depending on strong private RSA keys generation mechanism.",
"id": "GHSA-mjg4-5rfj-952f",
"modified": "2024-04-03T23:05:48Z",
"published": "2022-04-22T00:24:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4121"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2011-4121"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4121"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2011-4121"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/07/01/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MJH9-7RC2-MX92
Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2022-05-13 01:05IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 142649.
{
"affected": [],
"aliases": [
"CVE-2018-1545"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-26T15:29:00Z",
"severity": "HIGH"
},
"details": "IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 142649.",
"id": "GHSA-mjh9-7rc2-mx92",
"modified": "2022-05-13T01:05:02Z",
"published": "2022-05-13T01:05:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1545"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/142649"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10718013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MMX7-9C9C-W6WV
Vulnerability from github – Published: 2022-05-17 04:38 – Updated: 2025-11-01 00:30Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows local users to obtain sensitive information by reading a credential file.
{
"affected": [],
"aliases": [
"CVE-2014-2381"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-08-28T01:55:00Z",
"severity": "LOW"
},
"details": "Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows local users to obtain sensitive information by reading a credential file.",
"id": "GHSA-mmx7-9c9c-w6wv",
"modified": "2025-11-01T00:30:25Z",
"published": "2022-05-17T04:38:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2381"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-238-02.json"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-238-02"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-238-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MP37-3W38-3HMX
Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2025-04-20 03:36An Inadequate Encryption Strength issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The software will connect via Transport Layer Security without verifying the peer's SSL certificate properly.
{
"affected": [],
"aliases": [
"CVE-2017-5160"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-20T20:59:00Z",
"severity": "MODERATE"
},
"details": "An Inadequate Encryption Strength issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The software will connect via Transport Layer Security without verifying the peer\u0027s SSL certificate properly.",
"id": "GHSA-mp37-3w38-3hmx",
"modified": "2025-04-20T03:36:21Z",
"published": "2022-05-13T01:06:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5160"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-01"
},
{
"type": "WEB",
"url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000114"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97256"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MP5W-52HW-836R
Vulnerability from github – Published: 2026-04-09 00:32 – Updated: 2026-04-13 21:30Cryptographic Flaw in PDFium in Google Chrome prior to 147.0.7727.55 allowed an attacker to read potentially sensitive information from encrypted PDFs via a brute-force attack. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-5889"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T22:16:28Z",
"severity": "MODERATE"
},
"details": "Cryptographic Flaw in PDFium in Google Chrome prior to 147.0.7727.55 allowed an attacker to read potentially sensitive information from encrypted PDFs via a brute-force attack. (Chromium security severity: Medium)",
"id": "GHSA-mp5w-52hw-836r",
"modified": "2026-04-13T21:30:37Z",
"published": "2026-04-09T00:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5889"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/486906037"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MPC8-GWHR-V5C8
Vulnerability from github – Published: 2022-05-17 02:55 – Updated: 2025-04-20 03:31Information Disclosure can occur in sshProfiles.jsd in Hitek Software's Automize because of the Read attribute being set for Users. This allows an attacker to recover encrypted passwords for SSH/SFTP profiles. Verified in all 10.x versions up to and including 10.25, and all 11.x versions up to and including 11.14.
{
"affected": [],
"aliases": [
"CVE-2016-10104"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-23T07:59:00Z",
"severity": "MODERATE"
},
"details": "Information Disclosure can occur in sshProfiles.jsd in Hitek Software\u0027s Automize because of the Read attribute being set for Users. This allows an attacker to recover encrypted passwords for SSH/SFTP profiles. Verified in all 10.x versions up to and including 10.25, and all 11.x versions up to and including 11.14.",
"id": "GHSA-mpc8-gwhr-v5c8",
"modified": "2025-04-20T03:31:24Z",
"published": "2022-05-17T02:55:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10104"
},
{
"type": "WEB",
"url": "https://rastamouse.me/guff/2016/automize"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96845"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MPP7-XQ5H-6FJH
Vulnerability from github – Published: 2024-07-27 00:32 – Updated: 2024-09-19 15:30An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure that credentials are negotiated with the Key-Value (KV) service using SCRAM-SHA when remote link encryption is configured for Half-Secure.
{
"affected": [],
"aliases": [
"CVE-2024-37034"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-26T22:15:03Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure that credentials are negotiated with the Key-Value (KV) service using SCRAM-SHA when remote link encryption is configured for Half-Secure.",
"id": "GHSA-mpp7-xq5h-6fjh",
"modified": "2024-09-19T15:30:48Z",
"published": "2024-07-27T00:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37034"
},
{
"type": "WEB",
"url": "https://www.couchbase.com/alerts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MQ7V-2XJ4-RHJJ
Vulnerability from github – Published: 2024-01-30 12:30 – Updated: 2024-03-05 21:30An issue in AIT-Deutschland Alpha Innotec Heatpumps wp2reg-V.3.88.0-9015 and Novelan Heatpumps wp2reg-V.3.88.0-9015, allows remote attackers to execute arbitrary code via the password component in the shadow file.
{
"affected": [],
"aliases": [
"CVE-2024-22894"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-30T10:15:09Z",
"severity": "MODERATE"
},
"details": "An issue in AIT-Deutschland Alpha Innotec Heatpumps wp2reg-V.3.88.0-9015 and Novelan Heatpumps wp2reg-V.3.88.0-9015, allows remote attackers to execute arbitrary code via the password component in the shadow file.",
"id": "GHSA-mq7v-2xj4-rhjj",
"modified": "2024-03-05T21:30:24Z",
"published": "2024-01-30T12:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22894"
},
{
"type": "WEB",
"url": "https://github.com/Jaarden/AlphaInnotec-Password-Vulnerability"
},
{
"type": "WEB",
"url": "https://github.com/Jaarden/CVE-2024-22894"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MQJX-JCPX-J93Q
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 212793.
{
"affected": [],
"aliases": [
"CVE-2021-38984"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-15T16:15:00Z",
"severity": "HIGH"
},
"details": "IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 212793.",
"id": "GHSA-mqjx-jcpx-j93q",
"modified": "2022-05-24T19:20:53Z",
"published": "2022-05-24T19:20:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38984"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/212793"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6516032"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.