VYPR

CWE-326

Inadequate Encryption Strength

ClassDraft

Description

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-112 · CAPEC-192 · CAPEC-20

CVEs mapped to this weakness (194)

page 10 of 10
  • CVE-2013-2166Dec 10, 2019
    risk 0.00cvss epss 0.02

    python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass

  • CVE-2010-3670Nov 5, 2019
    risk 0.00cvss epss 0.01

    TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the "forgot password" function.

  • CVE-2019-17598Nov 5, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the…

  • CVE-2018-19784Dec 1, 2018
    risk 0.00cvss epss 0.01

    The str_rot_pass function in vendor/atholn1600/php-proxy/src/helpers.php in PHP-Proxy 5.1.0 uses weak cryptography, which makes it easier for attackers to calculate the authorization data needed for local file inclusion.

  • CVE-2014-9199Jan 17, 2015
    risk 0.00cvss epss 0.03

    The Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the network for cleartext-equivalent traffic.

  • CVE-2014-2381Aug 28, 2014
    risk 0.00cvss epss 0.00

    Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows local users to obtain sensitive information by reading a credential file.

  • CVE-2014-2380Aug 28, 2014
    risk 0.00cvss epss 0.01

    Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows remote attackers to obtain sensitive information by reading a credential file.

  • CVE-2013-6372May 8, 2014
    risk 0.00cvss epss 0.01

    The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file.

  • CVE-2014-1491Feb 6, 2014
    risk 0.00cvss epss 0.05

    Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes…

  • CVE-2013-0764Jan 13, 2013
    risk 0.00cvss epss 0.03

    The nsSOCKSSocketInfo::ConnectToProxy function in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not ensure thread safety for SSL sessions, which allows remote attackers…

  • CVE-2012-4571Nov 30, 2012
    risk 0.00cvss epss 0.00

    Python Keyring 0.9.1 does not securely initialize the cipher when encrypting passwords for CryptedFileKeyring files, which makes it easier for local users to obtain passwords via a brute-force attack.

  • CVE-2012-3458Sep 15, 2012
    risk 0.00cvss epss 0.02

    Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.

  • CVE-2009-2474Aug 21, 2009
    risk 0.00cvss epss 0.01

    neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate…

  • CVE-2005-0366May 2, 2005
    risk 0.00cvss epss 0.03

    The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback (CFB) mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or…