CWE-330
Use of Insufficiently Random Values
Description
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-112 · CAPEC-485 · CAPEC-59
CVEs mapped to this weakness (149)
page 7 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-45458 | — | 0.00 | — | 0.02 | Jan 6, 2022 | Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to… | ||
| CVE-2021-3692 | 0.00 | — | 0.02 | Aug 10, 2021 | yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | |||
| CVE-2021-3689 | 0.00 | — | 0.02 | Aug 10, 2021 | yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | |||
| CVE-2021-29480 | 0.00 | — | 0.00 | Jun 29, 2021 | Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is… | |||
| CVE-2020-10729 | — | 0.00 | — | 0.00 | May 27, 2021 | A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be… | ||
| CVE-2021-29499 | 0.00 | — | 0.01 | May 7, 2021 | SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch… | |||
| CVE-2021-28055 | — | 0.00 | — | 0.01 | Apr 15, 2021 | An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. The anti-CSRF token generation is predictable, which might allow CSRF attacks that add an admin user. | ||
| CVE-2021-27884 | — | 0.00 | — | 0.00 | Mar 1, 2021 | Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used. | ||
| CVE-2021-26296 | 0.00 | — | 0.03 | Feb 19, 2021 | In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although… | |||
| CVE-2021-27378 | — | 0.00 | — | 0.01 | Feb 18, 2021 | An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data. | ||
| CVE-2020-5408 | 0.00 | — | 0.02 | May 14, 2020 | Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to… | |||
| CVE-2019-19135 | — | 0.00 | — | 0.01 | Mar 16, 2020 | In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which allows man in the middle attackers to reuse encrypted user credentials sent over the network. | ||
| CVE-2020-1731 | 0.00 | — | 0.01 | Mar 2, 2020 | A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace. | |||
| CVE-2020-2099 | 0.00 | — | 0.01 | Jan 29, 2020 | Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to… | |||
| CVE-2013-0294 | 0.00 | — | 0.03 | Jan 28, 2020 | packet.py in pyrad before 2.1 uses weak random numbers to generate RADIUS authenticators and hash passwords, which makes it easier for remote attackers to obtain sensitive information via a brute force attack. | |||
| CVE-2019-19794 | — | 0.00 | — | 0.02 | Dec 13, 2019 | The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries. | ||
| CVE-2010-3666 | — | 0.00 | — | 0.01 | Nov 4, 2019 | TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the uniqid function. | ||
| CVE-2019-10754 | — | 0.00 | — | 0.02 | Sep 23, 2019 | Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. | ||
| CVE-2019-7886 | 0.00 | — | 0.01 | Aug 2, 2019 | A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A weak cryptograhic mechanism is used to generate the intialization vector in multiple security relevant contexts. | |||
| CVE-2019-3795 | 0.00 | — | 0.02 | Apr 9, 2019 | Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must… |
- CVE-2021-45458Jan 6, 2022risk 0.00cvss —epss 0.02
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to…
- CVE-2021-3692Aug 10, 2021risk 0.00cvss —epss 0.02
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
- CVE-2021-3689Aug 10, 2021risk 0.00cvss —epss 0.02
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
- CVE-2021-29480Jun 29, 2021risk 0.00cvss —epss 0.00
Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is…
- CVE-2020-10729May 27, 2021risk 0.00cvss —epss 0.00
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be…
- CVE-2021-29499May 7, 2021risk 0.00cvss —epss 0.01
SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch…
- CVE-2021-28055Apr 15, 2021risk 0.00cvss —epss 0.01
An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. The anti-CSRF token generation is predictable, which might allow CSRF attacks that add an admin user.
- CVE-2021-27884Mar 1, 2021risk 0.00cvss —epss 0.00
Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.
- CVE-2021-26296Feb 19, 2021risk 0.00cvss —epss 0.03
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although…
- CVE-2021-27378Feb 18, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data.
- CVE-2020-5408May 14, 2020risk 0.00cvss —epss 0.02
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to…
- CVE-2019-19135Mar 16, 2020risk 0.00cvss —epss 0.01
In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which allows man in the middle attackers to reuse encrypted user credentials sent over the network.
- CVE-2020-1731Mar 2, 2020risk 0.00cvss —epss 0.01
A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace.
- CVE-2020-2099Jan 29, 2020risk 0.00cvss —epss 0.01
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to…
- CVE-2013-0294Jan 28, 2020risk 0.00cvss —epss 0.03
packet.py in pyrad before 2.1 uses weak random numbers to generate RADIUS authenticators and hash passwords, which makes it easier for remote attackers to obtain sensitive information via a brute force attack.
- CVE-2019-19794Dec 13, 2019risk 0.00cvss —epss 0.02
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
- CVE-2010-3666Nov 4, 2019risk 0.00cvss —epss 0.01
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the uniqid function.
- CVE-2019-10754Sep 23, 2019risk 0.00cvss —epss 0.02
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
- CVE-2019-7886Aug 2, 2019risk 0.00cvss —epss 0.01
A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A weak cryptograhic mechanism is used to generate the intialization vector in multiple security relevant contexts.
- CVE-2019-3795Apr 9, 2019risk 0.00cvss —epss 0.02
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must…