CWE-331
Insufficient Entropy
Description
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-59
CVEs mapped to this weakness (72)
page 4 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-4238 | — | 0.00 | — | 0.01 | Dec 27, 2022 | Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short… | ||
| CVE-2021-4240 | — | 0.00 | — | 0.01 | Nov 15, 2022 | A vulnerability, which was classified as problematic, was found in phpservermon. This affects the function generatePasswordResetToken of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been… | ||
| CVE-2021-4241 | — | 0.00 | — | 0.01 | Nov 15, 2022 | A vulnerability, which was classified as problematic, was found in phpservermon. Affected is the function setUserLoggedIn of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been disclosed to… | ||
| CVE-2022-31034 | 0.00 | — | 0.01 | Jun 27, 2022 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently… | |||
| CVE-2021-29471 | 0.00 | — | 0.02 | May 11, 2021 | Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including… | |||
| CVE-2020-28924 | — | 0.00 | — | 0.01 | Nov 19, 2020 | An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was… | ||
| CVE-2017-18883 | — | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data. | ||
| CVE-2015-8851 | — | 0.00 | — | 0.02 | Jan 30, 2020 | node-uuid before 1.4.4 uses insufficiently random data to create a GUID, which could make it easier for attackers to have unspecified impact via brute force guessing. | ||
| CVE-2019-14806 | — | 0.00 | — | 0.02 | Aug 9, 2019 | Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. | ||
| CVE-2017-2626 | — | Med | 0.00 | 5.2 | 0.00 | Jul 27, 2018 | It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list. | |
| CVE-2017-2625 | Med | 0.00 | 6.5 | 0.01 | Jul 27, 2018 | It was discovered that libXdmcp before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users'… | ||
| CVE-2012-4687 | 0.00 | — | 0.01 | Dec 8, 2012 | Post Oak AWAM Bluetooth Reader Traffic System does not use a sufficient source of entropy for private keys, which makes it easier for man-in-the-middle attackers to spoof a device by predicting a key value. |
- CVE-2021-4238Dec 27, 2022risk 0.00cvss —epss 0.01
Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short…
- CVE-2021-4240Nov 15, 2022risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, was found in phpservermon. This affects the function generatePasswordResetToken of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been…
- CVE-2021-4241Nov 15, 2022risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, was found in phpservermon. Affected is the function setUserLoggedIn of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been disclosed to…
- CVE-2022-31034Jun 27, 2022risk 0.00cvss —epss 0.01
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently…
- CVE-2021-29471May 11, 2021risk 0.00cvss —epss 0.02
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including…
- CVE-2020-28924Nov 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was…
- CVE-2017-18883Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.
- CVE-2015-8851Jan 30, 2020risk 0.00cvss —epss 0.02
node-uuid before 1.4.4 uses insufficiently random data to create a GUID, which could make it easier for attackers to have unspecified impact via brute force guessing.
- CVE-2019-14806Aug 9, 2019risk 0.00cvss —epss 0.02
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.
- risk 0.00cvss 5.2epss 0.00
It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list.
- risk 0.00cvss 6.5epss 0.01
It was discovered that libXdmcp before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users'…
- CVE-2012-4687Dec 8, 2012risk 0.00cvss —epss 0.01
Post Oak AWAM Bluetooth Reader Traffic System does not use a sufficient source of entropy for private keys, which makes it easier for man-in-the-middle attackers to spoof a device by predicting a key value.