CVEbaza.plSłownik CWECWE-326
Common Weakness Enumeration

CWE-326

Inadequate Encryption Strength

Kategoria: ClassCVE: 520
Opis

Produkt przechowuje lub przesyła wrażliwe dane przy użyciu schematu szyfrowania, który jest teoretycznie poprawny, ale nie jest wystarczająco silny dla wymaganego poziomu ochrony. Zastosowane szyfrowanie nie zapewnia odpowiedniego poziomu bezpieczeństwa dla rodzaju chronionych danych.

Description (EN)

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Podatności CVE z CWE-326 (520)
10.0
CVSS
CRITICAL
CVE-2026-44523

Aplikacja Note Mark przed wersją 0.19.4 nie wymuszała minimalnej długości ani entropii wartości konfiguracyjnej JWT_SECRET, akceptując sekrety tak krótkie jak 1 bajt. Skutkuje to słabą kryptografią podpisywania tokenów JWT, co umożliwia ich fałszowanie.

pub. 2026-05-14
10.0
CVSS
CRITICAL
CVE-2025-12478

Urządzenia Azure-Access BLU-IC2 i BLU-IC4 posiadają niezgodną z wymaganiami bezpieczeństwa konfigurację TLS (CWE-326 — niewystarczająca siła szyfrowania), co sklasyfikowano jako podatność krytyczną z wynikiem CVSS 10.0. Błędna konfiguracja szyfrowania komunikacji sieciowej stwarza ryzyko przechwycenia lub manipulacji przesyłanymi danymi bez konieczności uwierzytelnienia.

pub. 2025-10-29
10.0
CVSS
CRITICAL
CVE-2020-6966

In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X, the affected products utilize a weak encryption scheme for remote desktop control, which may allow an attacker to obtain remote code execution of devices on the network.

pub. 2020-01-24
10.0
CVSS
CRITICAL
CVE-2019-16649

On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.

pub. 2019-09-21
10.0
CVSS
HIGH
CVE-2014-9199

The Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the network for cleartext-equivalent traffic.

pub. 2015-01-17
9.8
CVSS
CRITICAL
CVE-2022-45141

Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96).

pub. 2023-03-06
9.8
CVSS
CRITICAL
CVE-2022-24116

Certain General Electric Renewable Energy products have inadequate encryption strength. This affects iNET and iNET II before 8.3.0.

pub. 2022-12-26
9.8
CVSS
CRITICAL
CVE-2022-3273

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.

pub. 2022-10-06
9.8
CVSS
CRITICAL
CVE-2022-36555

Hytec Inter HWL-2511-SS v1.05 and below implements a SHA512crypt hash for the root account which can be easily cracked via a brute-force attack.

pub. 2022-08-29
9.8
CVSS
CRITICAL
CVE-2022-30285

In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication. This may allow authentication with invalid credentials.

pub. 2022-08-02
9.8
CVSS
CRITICAL
CVE-2021-42216

A Broken or Risky Cryptographic Algorithm exists in AnonAddy 0.8.5 via VerificationController.php.

pub. 2021-12-15
9.8
CVSS
CRITICAL
CVE-2020-14517

Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if CodeMeter Runtime is running as server) and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.

pub. 2020-09-16
9.8
CVSS
CRITICAL
CVE-2020-10275

The access tokens for the REST API are directly derived from the publicly available default credentials for the web interface. Given a USERNAME and a PASSWORD, the token string is generated directly with base64(USERNAME:sha256(PASSWORD)). An unauthorized attacker inside the network can use the default credentials to compute the token and interact with the REST API to exfiltrate, infiltrate or delete data.

pub. 2020-06-24
9.8
CVSS
CRITICAL
CVE-2013-7287

MobileIron VSP < 5.9.1 and Sentry < 5.0 has an insecure encryption scheme.

pub. 2020-02-13
9.8
CVSS
CRITICAL
CVE-2013-2166

python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass

pub. 2019-12-10
9.8
CVSS
CRITICAL
CVE-2011-4121

The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation. A remote attacker could use this flaw to bypass or corrupt integrity of services, depending on strong private RSA keys generation mechanism.

pub. 2019-11-26
9.8
CVSS
CRITICAL
CVE-2019-15805

CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative interface because they include the current base64 encoded password within http://192.168.1.1/login.html. Any user connected to the Wi-Fi can exploit this.

pub. 2019-08-29
9.8
CVSS
CRITICAL
CVE-2019-15806

CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative interface because they include the current base64 encoded password within http://192.168.1.1/basic_sett.html. Any user connected to the Wi-Fi can exploit this.

pub. 2019-08-29
9.8
CVSS
CRITICAL
CVE-2018-20810

Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX, PPS 5.2RX, or stand-alone devices.

pub. 2019-06-28
9.8
CVSS
CRITICAL
CVE-2019-10907

Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users.

pub. 2019-04-07
Pokazano 20 z 520 podatności
Informacje
ID: CWE-326
Typ: Class
Podatności: 520
MITRE CWE ↗
← Słownik CWE
CWE-326 — Nieadekwatna siła szyfrowania | Słownik CWE | CVEbaza.pl