CWE-326
Inadequate Encryption Strength
Description
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-112 · CAPEC-192 · CAPEC-20
CVEs mapped to this weakness (194)
page 10 of 10| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2013-2166 | — | 0.00 | — | 0.02 | Dec 10, 2019 | python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass | ||
| CVE-2010-3670 | — | 0.00 | — | 0.01 | Nov 5, 2019 | TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the "forgot password" function. | ||
| CVE-2019-17598 | — | 0.00 | — | 0.01 | Nov 5, 2019 | An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the… | ||
| CVE-2018-19784 | — | 0.00 | — | 0.01 | Dec 1, 2018 | The str_rot_pass function in vendor/atholn1600/php-proxy/src/helpers.php in PHP-Proxy 5.1.0 uses weak cryptography, which makes it easier for attackers to calculate the authorization data needed for local file inclusion. | ||
| CVE-2014-9199 | 0.00 | — | 0.03 | Jan 17, 2015 | The Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the network for cleartext-equivalent traffic. | |||
| CVE-2014-2381 | 0.00 | — | 0.00 | Aug 28, 2014 | Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows local users to obtain sensitive information by reading a credential file. | |||
| CVE-2014-2380 | 0.00 | — | 0.01 | Aug 28, 2014 | Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows remote attackers to obtain sensitive information by reading a credential file. | |||
| CVE-2013-6372 | 0.00 | — | 0.01 | May 8, 2014 | The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file. | |||
| CVE-2014-1491 | 0.00 | — | 0.05 | Feb 6, 2014 | Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes… | |||
| CVE-2013-0764 | 0.00 | — | 0.03 | Jan 13, 2013 | The nsSOCKSSocketInfo::ConnectToProxy function in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not ensure thread safety for SSL sessions, which allows remote attackers… | |||
| CVE-2012-4571 | 0.00 | — | 0.00 | Nov 30, 2012 | Python Keyring 0.9.1 does not securely initialize the cipher when encrypting passwords for CryptedFileKeyring files, which makes it easier for local users to obtain passwords via a brute-force attack. | |||
| CVE-2012-3458 | 0.00 | — | 0.02 | Sep 15, 2012 | Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors. | |||
| CVE-2009-2474 | 0.00 | — | 0.01 | Aug 21, 2009 | neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate… | |||
| CVE-2005-0366 | 0.00 | — | 0.03 | May 2, 2005 | The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback (CFB) mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or… |
- CVE-2013-2166Dec 10, 2019risk 0.00cvss —epss 0.02
python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass
- CVE-2010-3670Nov 5, 2019risk 0.00cvss —epss 0.01
TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the "forgot password" function.
- CVE-2019-17598Nov 5, 2019risk 0.00cvss —epss 0.01
An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the…
- CVE-2018-19784Dec 1, 2018risk 0.00cvss —epss 0.01
The str_rot_pass function in vendor/atholn1600/php-proxy/src/helpers.php in PHP-Proxy 5.1.0 uses weak cryptography, which makes it easier for attackers to calculate the authorization data needed for local file inclusion.
- CVE-2014-9199Jan 17, 2015risk 0.00cvss —epss 0.03
The Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the network for cleartext-equivalent traffic.
- CVE-2014-2381Aug 28, 2014risk 0.00cvss —epss 0.00
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows local users to obtain sensitive information by reading a credential file.
- CVE-2014-2380Aug 28, 2014risk 0.00cvss —epss 0.01
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows remote attackers to obtain sensitive information by reading a credential file.
- CVE-2013-6372May 8, 2014risk 0.00cvss —epss 0.01
The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file.
- CVE-2014-1491Feb 6, 2014risk 0.00cvss —epss 0.05
Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes…
- CVE-2013-0764Jan 13, 2013risk 0.00cvss —epss 0.03
The nsSOCKSSocketInfo::ConnectToProxy function in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not ensure thread safety for SSL sessions, which allows remote attackers…
- CVE-2012-4571Nov 30, 2012risk 0.00cvss —epss 0.00
Python Keyring 0.9.1 does not securely initialize the cipher when encrypting passwords for CryptedFileKeyring files, which makes it easier for local users to obtain passwords via a brute-force attack.
- CVE-2012-3458Sep 15, 2012risk 0.00cvss —epss 0.02
Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.
- CVE-2009-2474Aug 21, 2009risk 0.00cvss —epss 0.01
neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate…
- CVE-2005-0366May 2, 2005risk 0.00cvss —epss 0.03
The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback (CFB) mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or…