The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.
|Bypass protection mechanism |
Read application data
|An attacker may be able to decrypt the data using brute force attacks.|
Use a cryptographic algorithm that is currently considered to be strong by experts in the field.
A variety of encryption algorithms exist, with various weaknesses. This category could probably be split into smaller sub-categories.
Relationships between CWE-310, CWE-326, and CWE-327 and all their children need to be reviewed and reorganized.
|CVE-2004-2172||Weak encryption (chosen plaintext attack)|
|CVE-2002-1697||Weak encryption produces same ciphertext from the same plaintext blocks.|
|CVE-2005-2281||Weak encryption scheme|
|CVE-2002-1872||Weak encryption (XOR)|
|CVE-2002-1910||Weak encryption (reversible algorithm).|
|CVE-2002-1946||Weak encryption (one-to-one mapping).|
|CVE-2002-1975||Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).|