VYPR

CWE-331

Insufficient Entropy

BaseDraft

Description

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-59

CVEs mapped to this weakness (72)

page 3 of 4
  • CVE-2018-8435MedSep 13, 2018
    risk 0.27cvss 4.2epss 0.01

    A security feature bypass vulnerability exists when Windows Hyper-V BIOS loader fails to provide a high-entropy source, aka "Windows Hyper-V Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.

  • CVE-2025-27552MedMar 26, 2025
    risk 0.26cvss 4.0epss 0.00

    DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes. This vulnerability is associated with program files Crypt/Eksblowfish/Bcrypt.pm. This issue affects DBIx::Class::EncodedColumn until 0.00032.

  • CVE-2025-27551MedMar 26, 2025
    risk 0.26cvss 4.0epss 0.00

    DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes. This vulnerability is associated with program files lib/DBIx/Class/EncodedColumn/Digest.pm. This issue affects DBIx::Class::EncodedColumn until 0.00032.

  • CVE-2025-6931LowJun 30, 2025
    risk 0.24cvss 3.7epss 0.02

    A vulnerability classified as problematic was found in D-Link DCS-6517 and DCS-7517 up to 2.02.0. Affected by this vulnerability is the function generate_pass_from_mac of the file /bin/httpd of the component Root Password Generation Handler. The manipulation leads to…

  • CVE-2025-62774LowOct 22, 2025
    risk 0.20cvss 3.1epss 0.00

    On Mercku M6a devices through 2.1.0, the authentication system uses predictable session tokens based on timestamps.

  • CVE-2025-2814MedApr 13, 2025
    risk 0.19cvss 4.0epss 0.00

    Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable.  In that case,…

  • CVE-2026-41080LowApr 16, 2026
    risk 0.12cvss 2.9epss 0.00

    libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

  • CVE-2018-18326Jul 3, 2019
    risk 0.09cvss epss 0.54

    DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.

  • CVE-2018-15812Jul 3, 2019
    risk 0.09cvss epss 0.47

    DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.

  • CVE-2025-7432LowFeb 9, 2026
    risk 0.07cvss epss 0.00

    DPA countermeasures in Silicon Labs' Series 2 devices are not reseeded under certain conditions.  This may allow an attacker to eventually extract secret keys through a DPA attack.

  • CVE-2026-22698Jan 10, 2026
    risk 0.00cvss epss 0.00

    RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical…

  • CVE-2025-66565Dec 9, 2025
    risk 0.00cvss epss 0.00

    Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID…

  • CVE-2025-59015Sep 9, 2025
    risk 0.00cvss epss 0.00

    A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.

  • CVE-2024-8796Sep 17, 2024
    risk 0.00cvss epss 0.01

    Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could…

  • CVE-2024-36400Jun 4, 2024
    risk 0.00cvss epss 0.01

    nano-id is a unique string ID generator for Rust. Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols…

  • CVE-2023-49599Jan 10, 2024
    risk 0.00cvss epss 0.01

    An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted series of HTTP requests can lead to privilege escalation. An attacker can gather system information via HTTP requests and brute…

  • CVE-2023-26154Dec 6, 2023
    risk 0.00cvss epss 0.01

    Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package…

  • CVE-2023-31582Oct 24, 2023
    risk 0.00cvss epss 0.01

    jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less.

  • CVE-2020-36732Jun 12, 2023
    risk 0.00cvss epss 0.01

    The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.

  • CVE-2022-43755Feb 7, 2023
    risk 0.00cvss epss 0.02

    A Insufficient Entropy vulnerability in SUSE Rancher allows attackers that gained knowledge of the cattle-token to continue abusing this even after the token was renewed. This issue affects: SUSE Rancher Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1.