CWE-326
Inadequate Encryption Strength
Description
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-112 · CAPEC-192 · CAPEC-20
CVEs mapped to this weakness (194)
page 9 of 10| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-28860 | 0.00 | — | 0.00 | Mar 27, 2024 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to chosen… | |||
| CVE-2024-23656 | 0.00 | — | 0.00 | Jan 25, 2024 | Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert… | |||
| CVE-2023-48051 | — | 0.00 | — | 0.00 | Nov 20, 2023 | An issue in /upydev/keygen.py in upydev v0.4.3 allows attackers to decrypt sensitive information via weak encryption padding. | ||
| CVE-2023-46894 | — | 0.00 | — | 0.00 | Nov 9, 2023 | An issue discovered in esptool 4.6.2 allows attackers to view sensitive information via weak cryptographic algorithm. | ||
| CVE-2023-44690 | — | 0.00 | — | 0.00 | Oct 19, 2023 | Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py | ||
| CVE-2023-31135 | — | 0.00 | — | 0.00 | May 17, 2023 | Dgraph is an open source distributed GraphQL database. Existing Dgraph audit logs are vulnerable to brute force attacks due to nonce collisions. The first 12 bytes come from a baseIv which is initialized when an audit log is created. The last 4 bytes come from the length of the… | ||
| CVE-2023-27987 | — | 0.00 | — | 0.01 | Apr 10, 2023 | In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values. We recommend users upgrade the version of Linkis to… | ||
| CVE-2022-2582 | — | 0.00 | — | 0.00 | Dec 27, 2022 | The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it. | ||
| CVE-2022-45379 | 0.00 | — | 0.00 | Nov 15, 2022 | Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks. | |||
| CVE-2022-3273 | — | 0.00 | — | 0.00 | Oct 6, 2022 | Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a4. | ||
| CVE-2022-35513 | — | 0.00 | — | 0.04 | Sep 7, 2022 | The Blink1Control2 application <= 2.2.7 uses weak password encryption and an insecure method of storage. | ||
| CVE-2022-2097 | 0.00 | — | 0.02 | Jul 5, 2022 | AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in… | |||
| CVE-2022-29249 | 0.00 | — | 0.01 | May 24, 2022 | JavaEZ is a library that adds new functions to make Java easier. A weakness in JavaEZ 1.6 allows force decryption of locked text by unauthorized actors. The issue is NOT critical for non-secure applications, however may be critical in a situation where the highest levels of… | |||
| CVE-2022-29161 | 0.00 | — | 0.00 | May 5, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The XWiki Crypto API will generate X509 certificates signed by default using SHA1 with RSA, which is not considered safe anymore for use in certificate signatures, due to the… | |||
| CVE-2022-24784 | 0.00 | — | 0.01 | Mar 25, 2022 | Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually… | |||
| CVE-2021-45458 | — | 0.00 | — | 0.02 | Jan 6, 2022 | Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to… | ||
| CVE-2022-21653 | 0.00 | — | 0.01 | Jan 5, 2022 | Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not… | |||
| CVE-2021-39182 | 0.00 | — | 0.01 | Nov 8, 2021 | EnroCrypt is a Python module for encryption and hashing. Prior to version 1.1.4, EnroCrypt used the MD5 hashing algorithm in the hashing file. Beginners who are unfamiliar with hashes can face problems as MD5 is considered an insecure hashing algorithm. The vulnerability is… | |||
| CVE-2021-3680 | — | 0.00 | — | 0.00 | Aug 4, 2021 | showdoc is vulnerable to Missing Cryptographic Step | ||
| CVE-2020-26263 | 0.00 | — | 0.01 | Dec 21, 2020 | tlslite-ng is an open source python library that implements SSL and TLS cryptographic protocols. In tlslite-ng before versions 0.7.6 and 0.8.0-alpha39, the code that performs decryption and padding check in RSA PKCS#1 v1.5 decryption is data dependant. In particular, the code… |
- CVE-2024-28860Mar 27, 2024risk 0.00cvss —epss 0.00
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to chosen…
- CVE-2024-23656Jan 25, 2024risk 0.00cvss —epss 0.00
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert…
- CVE-2023-48051Nov 20, 2023risk 0.00cvss —epss 0.00
An issue in /upydev/keygen.py in upydev v0.4.3 allows attackers to decrypt sensitive information via weak encryption padding.
- CVE-2023-46894Nov 9, 2023risk 0.00cvss —epss 0.00
An issue discovered in esptool 4.6.2 allows attackers to view sensitive information via weak cryptographic algorithm.
- CVE-2023-44690Oct 19, 2023risk 0.00cvss —epss 0.00
Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py
- CVE-2023-31135May 17, 2023risk 0.00cvss —epss 0.00
Dgraph is an open source distributed GraphQL database. Existing Dgraph audit logs are vulnerable to brute force attacks due to nonce collisions. The first 12 bytes come from a baseIv which is initialized when an audit log is created. The last 4 bytes come from the length of the…
- CVE-2023-27987Apr 10, 2023risk 0.00cvss —epss 0.01
In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values. We recommend users upgrade the version of Linkis to…
- CVE-2022-2582Dec 27, 2022risk 0.00cvss —epss 0.00
The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.
- CVE-2022-45379Nov 15, 2022risk 0.00cvss —epss 0.00
Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.
- CVE-2022-3273Oct 6, 2022risk 0.00cvss —epss 0.00
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.
- CVE-2022-35513Sep 7, 2022risk 0.00cvss —epss 0.04
The Blink1Control2 application <= 2.2.7 uses weak password encryption and an insecure method of storage.
- CVE-2022-2097Jul 5, 2022risk 0.00cvss —epss 0.02
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in…
- CVE-2022-29249May 24, 2022risk 0.00cvss —epss 0.01
JavaEZ is a library that adds new functions to make Java easier. A weakness in JavaEZ 1.6 allows force decryption of locked text by unauthorized actors. The issue is NOT critical for non-secure applications, however may be critical in a situation where the highest levels of…
- CVE-2022-29161May 5, 2022risk 0.00cvss —epss 0.00
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The XWiki Crypto API will generate X509 certificates signed by default using SHA1 with RSA, which is not considered safe anymore for use in certificate signatures, due to the…
- CVE-2022-24784Mar 25, 2022risk 0.00cvss —epss 0.01
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually…
- CVE-2021-45458Jan 6, 2022risk 0.00cvss —epss 0.02
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to…
- CVE-2022-21653Jan 5, 2022risk 0.00cvss —epss 0.01
Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not…
- CVE-2021-39182Nov 8, 2021risk 0.00cvss —epss 0.01
EnroCrypt is a Python module for encryption and hashing. Prior to version 1.1.4, EnroCrypt used the MD5 hashing algorithm in the hashing file. Beginners who are unfamiliar with hashes can face problems as MD5 is considered an insecure hashing algorithm. The vulnerability is…
- CVE-2021-3680Aug 4, 2021risk 0.00cvss —epss 0.00
showdoc is vulnerable to Missing Cryptographic Step
- CVE-2020-26263Dec 21, 2020risk 0.00cvss —epss 0.01
tlslite-ng is an open source python library that implements SSL and TLS cryptographic protocols. In tlslite-ng before versions 0.7.6 and 0.8.0-alpha39, the code that performs decryption and padding check in RSA PKCS#1 v1.5 decryption is data dependant. In particular, the code…