VYPR

CWE-330

Use of Insufficiently Random Values

ClassStableLikelihood: High

Description

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-112 · CAPEC-485 · CAPEC-59

CVEs mapped to this weakness (149)

page 6 of 8
  • CVE-2024-1631Feb 21, 2024
    risk 0.00cvss epss 0.01

    Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the…

  • CVE-2024-21495Feb 17, 2024
    risk 0.00cvss epss 0.01

    Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable…

  • CVE-2024-23688Jan 19, 2024
    risk 0.00cvss epss 0.00

    Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed.

  • CVE-2023-46740Jan 3, 2024
    risk 0.00cvss epss 0.00

    CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess…

  • CVE-2023-48056Nov 16, 2023
    risk 0.00cvss epss 0.00

    PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications.

  • CVE-2023-41879Sep 11, 2023
    risk 0.00cvss epss 0.01

    Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack.…

  • CVE-2020-36732Jun 12, 2023
    risk 0.00cvss epss 0.01

    The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.

  • CVE-2023-30797Apr 19, 2023
    risk 0.00cvss epss 0.01

    Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.

  • CVE-2022-43755Feb 7, 2023
    risk 0.00cvss epss 0.02

    A Insufficient Entropy vulnerability in SUSE Rancher allows attackers that gained knowledge of the cattle-token to continue abusing this even after the token was renewed. This issue affects: SUSE Rancher Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1.

  • CVE-2021-4248Dec 18, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in kapetan dns up to 6.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file DNS/Protocol/Request.cs. The manipulation leads to insufficient entropy in prng. The attack may be launched remotely.…

  • CVE-2021-4240Nov 15, 2022
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as problematic, was found in phpservermon. This affects the function generatePasswordResetToken of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been…

  • CVE-2021-4241Nov 15, 2022
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as problematic, was found in phpservermon. Affected is the function setUserLoggedIn of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been disclosed to…

  • CVE-2022-36022Nov 10, 2022
    risk 0.00cvss epss 0.00

    Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely…

  • CVE-2022-39218Sep 20, 2022
    risk 0.00cvss epss 0.01

    The JS Compute Runtime for Fastly's Compute@Edge platform provides the environment JavaScript is executed in when using the Compute@Edge JavaScript SDK. In versions prior to 0.5.3, the `Math.random` and `crypto.getRandomValues` methods fail to use sufficiently random values. The…

  • CVE-2022-36045Aug 31, 2022
    risk 0.00cvss epss 0.01

    NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. `utils.generateUUID`, a helper function available in essentially all versions of NodeBB (as far…

  • CVE-2021-23451Jul 25, 2022
    risk 0.00cvss epss 0.01

    The package otp-generator before 3.0.0 are vulnerable to Insecure Randomness due to insecure generation of random one-time passwords, which may allow a brute-force attack.

  • CVE-2022-31157Jul 15, 2022
    risk 0.00cvss epss 0.00

    LTI 1.3 Tool Library is a library used for building IMS-certified LTI 1.3 tool providers in PHP. Prior to version 5.0, the function used to generate random nonces was not sufficiently cryptographically complex. Users should upgrade to version 5.0 to receive a patch. There are…

  • CVE-2022-31034Jun 27, 2022
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently…

  • CVE-2022-29245May 31, 2022
    risk 0.00cvss epss 0.01

    SSH.NET is a Secure Shell (SSH) library for .NET. In versions 2020.0.0 and 2020.0.1, during an `X25519` key exchange, the client’s private key is generated with `System.Random`. `System.Random` is not a cryptographically secure random number generator, it must therefore not be…

  • CVE-2019-25061May 18, 2022
    risk 0.00cvss epss 0.02

    The random_password_generator (aka RandomPasswordGenerator) gem through 1.0.0 for Ruby uses Kernel#rand to generate passwords, which, due to its cyclic nature, can facilitate password prediction.