CWE-330
Use of Insufficiently Random Values
Description
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-112 · CAPEC-485 · CAPEC-59
CVEs mapped to this weakness (149)
page 6 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-1631 | — | 0.00 | — | 0.01 | Feb 21, 2024 | Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the… | ||
| CVE-2024-21495 | 0.00 | — | 0.01 | Feb 17, 2024 | Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable… | |||
| CVE-2024-23688 | 0.00 | — | 0.00 | Jan 19, 2024 | Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed. | |||
| CVE-2023-46740 | 0.00 | — | 0.00 | Jan 3, 2024 | CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess… | |||
| CVE-2023-48056 | — | 0.00 | — | 0.00 | Nov 16, 2023 | PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications. | ||
| CVE-2023-41879 | 0.00 | — | 0.01 | Sep 11, 2023 | Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack.… | |||
| CVE-2020-36732 | — | 0.00 | — | 0.01 | Jun 12, 2023 | The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary. | ||
| CVE-2023-30797 | 0.00 | — | 0.01 | Apr 19, 2023 | Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur. | |||
| CVE-2022-43755 | 0.00 | — | 0.02 | Feb 7, 2023 | A Insufficient Entropy vulnerability in SUSE Rancher allows attackers that gained knowledge of the cattle-token to continue abusing this even after the token was renewed. This issue affects: SUSE Rancher Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1. | |||
| CVE-2021-4248 | — | 0.00 | — | 0.01 | Dec 18, 2022 | A vulnerability was found in kapetan dns up to 6.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file DNS/Protocol/Request.cs. The manipulation leads to insufficient entropy in prng. The attack may be launched remotely.… | ||
| CVE-2021-4240 | — | 0.00 | — | 0.01 | Nov 15, 2022 | A vulnerability, which was classified as problematic, was found in phpservermon. This affects the function generatePasswordResetToken of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been… | ||
| CVE-2021-4241 | — | 0.00 | — | 0.01 | Nov 15, 2022 | A vulnerability, which was classified as problematic, was found in phpservermon. Affected is the function setUserLoggedIn of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been disclosed to… | ||
| CVE-2022-36022 | 0.00 | — | 0.00 | Nov 10, 2022 | Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely… | |||
| CVE-2022-39218 | 0.00 | — | 0.01 | Sep 20, 2022 | The JS Compute Runtime for Fastly's Compute@Edge platform provides the environment JavaScript is executed in when using the Compute@Edge JavaScript SDK. In versions prior to 0.5.3, the `Math.random` and `crypto.getRandomValues` methods fail to use sufficiently random values. The… | |||
| CVE-2022-36045 | 0.00 | — | 0.01 | Aug 31, 2022 | NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. `utils.generateUUID`, a helper function available in essentially all versions of NodeBB (as far… | |||
| CVE-2021-23451 | — | 0.00 | — | 0.01 | Jul 25, 2022 | The package otp-generator before 3.0.0 are vulnerable to Insecure Randomness due to insecure generation of random one-time passwords, which may allow a brute-force attack. | ||
| CVE-2022-31157 | 0.00 | — | 0.00 | Jul 15, 2022 | LTI 1.3 Tool Library is a library used for building IMS-certified LTI 1.3 tool providers in PHP. Prior to version 5.0, the function used to generate random nonces was not sufficiently cryptographically complex. Users should upgrade to version 5.0 to receive a patch. There are… | |||
| CVE-2022-31034 | 0.00 | — | 0.01 | Jun 27, 2022 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently… | |||
| CVE-2022-29245 | 0.00 | — | 0.01 | May 31, 2022 | SSH.NET is a Secure Shell (SSH) library for .NET. In versions 2020.0.0 and 2020.0.1, during an `X25519` key exchange, the client’s private key is generated with `System.Random`. `System.Random` is not a cryptographically secure random number generator, it must therefore not be… | |||
| CVE-2019-25061 | — | 0.00 | — | 0.02 | May 18, 2022 | The random_password_generator (aka RandomPasswordGenerator) gem through 1.0.0 for Ruby uses Kernel#rand to generate passwords, which, due to its cyclic nature, can facilitate password prediction. |
- CVE-2024-1631Feb 21, 2024risk 0.00cvss —epss 0.01
Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the…
- CVE-2024-21495Feb 17, 2024risk 0.00cvss —epss 0.01
Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable…
- CVE-2024-23688Jan 19, 2024risk 0.00cvss —epss 0.00
Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed.
- CVE-2023-46740Jan 3, 2024risk 0.00cvss —epss 0.00
CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess…
- CVE-2023-48056Nov 16, 2023risk 0.00cvss —epss 0.00
PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications.
- CVE-2023-41879Sep 11, 2023risk 0.00cvss —epss 0.01
Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack.…
- CVE-2020-36732Jun 12, 2023risk 0.00cvss —epss 0.01
The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.
- CVE-2023-30797Apr 19, 2023risk 0.00cvss —epss 0.01
Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.
- CVE-2022-43755Feb 7, 2023risk 0.00cvss —epss 0.02
A Insufficient Entropy vulnerability in SUSE Rancher allows attackers that gained knowledge of the cattle-token to continue abusing this even after the token was renewed. This issue affects: SUSE Rancher Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1.
- CVE-2021-4248Dec 18, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in kapetan dns up to 6.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file DNS/Protocol/Request.cs. The manipulation leads to insufficient entropy in prng. The attack may be launched remotely.…
- CVE-2021-4240Nov 15, 2022risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, was found in phpservermon. This affects the function generatePasswordResetToken of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been…
- CVE-2021-4241Nov 15, 2022risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, was found in phpservermon. Affected is the function setUserLoggedIn of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been disclosed to…
- CVE-2022-36022Nov 10, 2022risk 0.00cvss —epss 0.00
Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely…
- CVE-2022-39218Sep 20, 2022risk 0.00cvss —epss 0.01
The JS Compute Runtime for Fastly's Compute@Edge platform provides the environment JavaScript is executed in when using the Compute@Edge JavaScript SDK. In versions prior to 0.5.3, the `Math.random` and `crypto.getRandomValues` methods fail to use sufficiently random values. The…
- CVE-2022-36045Aug 31, 2022risk 0.00cvss —epss 0.01
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. `utils.generateUUID`, a helper function available in essentially all versions of NodeBB (as far…
- CVE-2021-23451Jul 25, 2022risk 0.00cvss —epss 0.01
The package otp-generator before 3.0.0 are vulnerable to Insecure Randomness due to insecure generation of random one-time passwords, which may allow a brute-force attack.
- CVE-2022-31157Jul 15, 2022risk 0.00cvss —epss 0.00
LTI 1.3 Tool Library is a library used for building IMS-certified LTI 1.3 tool providers in PHP. Prior to version 5.0, the function used to generate random nonces was not sufficiently cryptographically complex. Users should upgrade to version 5.0 to receive a patch. There are…
- CVE-2022-31034Jun 27, 2022risk 0.00cvss —epss 0.01
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently…
- CVE-2022-29245May 31, 2022risk 0.00cvss —epss 0.01
SSH.NET is a Secure Shell (SSH) library for .NET. In versions 2020.0.0 and 2020.0.1, during an `X25519` key exchange, the client’s private key is generated with `System.Random`. `System.Random` is not a cryptographically secure random number generator, it must therefore not be…
- CVE-2019-25061May 18, 2022risk 0.00cvss —epss 0.02
The random_password_generator (aka RandomPasswordGenerator) gem through 1.0.0 for Ruby uses Kernel#rand to generate passwords, which, due to its cyclic nature, can facilitate password prediction.