CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Description
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (109)
page 2 of 6| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41505 | Hig | 0.50 | 8.7 | 0.00 | May 7, 2026 | RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() function. This issue has been patched via commit 2f68e16. | ||
| CVE-2025-69217 | Hig | 0.50 | 7.7 | 0.00 | Dec 30, 2025 | coturn is a free open source implementation of TURN and STUN Server. Versions 4.6.2r5 through 4.7.0-r4 have a bad random number generator for nonces and port randomization after refactoring. Additionally, random numbers aren't generated with openssl's RAND_bytes but libc's… | ||
| CVE-2025-1860 | Hig | 0.50 | 7.7 | 0.00 | Mar 28, 2025 | Data::Entropy for Perl 0.007 and earlier use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. | ||
| CVE-2026-9638 | Hig | 0.49 | 7.5 | 0.00 | Jun 12, 2026 | Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography. | ||
| CVE-2026-41858 | Hig | 0.49 | 7.5 | 0.00 | Jun 4, 2026 | Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password. The… | ||
| CVE-2026-5088 | Hig | 0.49 | 7.5 | 0.01 | Apr 15, 2026 | Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are… | ||
| CVE-2026-5087 | Hig | 0.49 | 7.5 | 0.00 | Mar 31, 2026 | PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely. PAGI::Middleware::Session::Store::Cookie attempts to read bytes from the /dev/urandom device directly. If that fails (for example, on systems without the device, such… | ||
| CVE-2025-40933 | Hig | 0.49 | 7.5 | 0.00 | Sep 17, 2025 | Apache::AuthAny::Cookie v0.201 or earlier for Perl generates session ids insecurely. Session ids are generated using an MD5 hash of the epoch time and a call to the built-in rand function. The epoch time may be guessed, if it is not leaked from the HTTP Date header. The… | ||
| CVE-2025-40920 | Hig | 0.49 | 8.6 | 0.00 | Aug 11, 2025 | Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known… | ||
| CVE-2024-34538 | Hig | 0.49 | 7.5 | 0.01 | May 6, 2024 | Mateso PasswordSafe through 8.13.9.26689 has Weak Cryptography. | ||
| CVE-2018-12975 | Hig | 0.49 | 7.5 | 0.01 | Sep 24, 2018 | The random() function of the smart contract implementation for CryptoSaga, an Ethereum game, generates a random value with publicly readable variables such as timestamp, the current block's blockhash, and a private variable (which can be read with a getStorageAt call).… | ||
| CVE-2018-5837 | Hig | 0.49 | 7.5 | 0.01 | Sep 20, 2018 | In Snapdragon (Automobile, Mobile, Wear) in version IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660,… | ||
| CVE-2018-11291 | Hig | 0.49 | 7.5 | 0.01 | Sep 20, 2018 | In Snapdragon (Automobile, Mobile, Wear) in version IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 650/52, SD 810,… | ||
| CVE-2018-11290 | Hig | 0.49 | 7.5 | 0.01 | Sep 20, 2018 | In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, QCA6584, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 820A, SD 845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDX20,… | ||
| CVE-2018-17071 | Hig | 0.49 | 7.5 | 0.01 | Sep 18, 2018 | The fallback function of a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game, generates a random value with the publicly readable variable entry_number. This variable is private, yet it is readable by eth.getStorageAt function. Also, attackers… | ||
| CVE-2018-15552 | Hig | 0.49 | 7.5 | 0.01 | Sep 7, 2018 | The "PayWinner" function of a simplelottery smart contract implementation for The Ethereum Lottery, an Ethereum gambling game, generates a random value with publicly readable variable "maxTickets" (which is private, yet predictable and readable by the eth.getStorageAt function).… | ||
| CVE-2018-12056 | Hig | 0.49 | 7.5 | 0.02 | Aug 15, 2018 | The maxRandom function of a smart contract implementation for All For One, an Ethereum gambling game, generates a random value with publicly readable variables because the _seed value can be retrieved with a getStorageAt call. Therefore, it allows attackers to always win and get… | ||
| CVE-2018-14715 | Hig | 0.49 | 7.5 | 0.01 | Aug 3, 2018 | The endCoinFlip function and throwSlammer function of the smart contract implementations for Cryptogs, an Ethereum game, generate random numbers with an old block's hash. Therefore, attackers can predict the random number and always win the game. | ||
| CVE-2018-12454 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 17, 2018 | The _addguess function of a simplelottery smart contract implementation for 1000 Guess, an Ethereum gambling game, generates a random value with publicly readable variables such as the current block information and a private variable (which can be read with a getStorageAt call).… | |
| CVE-2017-9230 | Hig | 0.49 | 7.5 | 0.03 | May 24, 2017 | The Bitcoin Proof-of-Work algorithm does not consider a certain attack methodology related to 80-byte block headers with a variety of initial 64-byte chunks followed by the same 16-byte chunk, multiple candidate root values ending with the same 4 bytes, and calculations… |
- risk 0.50cvss 8.7epss 0.00
RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() function. This issue has been patched via commit 2f68e16.
- risk 0.50cvss 7.7epss 0.00
coturn is a free open source implementation of TURN and STUN Server. Versions 4.6.2r5 through 4.7.0-r4 have a bad random number generator for nonces and port randomization after refactoring. Additionally, random numbers aren't generated with openssl's RAND_bytes but libc's…
- risk 0.50cvss 7.7epss 0.00
Data::Entropy for Perl 0.007 and earlier use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
- risk 0.49cvss 7.5epss 0.00
Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography.
- risk 0.49cvss 7.5epss 0.00
Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password. The…
- risk 0.49cvss 7.5epss 0.01
Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are…
- risk 0.49cvss 7.5epss 0.00
PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely. PAGI::Middleware::Session::Store::Cookie attempts to read bytes from the /dev/urandom device directly. If that fails (for example, on systems without the device, such…
- risk 0.49cvss 7.5epss 0.00
Apache::AuthAny::Cookie v0.201 or earlier for Perl generates session ids insecurely. Session ids are generated using an MD5 hash of the epoch time and a call to the built-in rand function. The epoch time may be guessed, if it is not leaked from the HTTP Date header. The…
- risk 0.49cvss 8.6epss 0.00
Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known…
- risk 0.49cvss 7.5epss 0.01
Mateso PasswordSafe through 8.13.9.26689 has Weak Cryptography.
- risk 0.49cvss 7.5epss 0.01
The random() function of the smart contract implementation for CryptoSaga, an Ethereum game, generates a random value with publicly readable variables such as timestamp, the current block's blockhash, and a private variable (which can be read with a getStorageAt call).…
- risk 0.49cvss 7.5epss 0.01
In Snapdragon (Automobile, Mobile, Wear) in version IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660,…
- risk 0.49cvss 7.5epss 0.01
In Snapdragon (Automobile, Mobile, Wear) in version IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 650/52, SD 810,…
- risk 0.49cvss 7.5epss 0.01
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, QCA6584, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 820A, SD 845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDX20,…
- risk 0.49cvss 7.5epss 0.01
The fallback function of a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game, generates a random value with the publicly readable variable entry_number. This variable is private, yet it is readable by eth.getStorageAt function. Also, attackers…
- risk 0.49cvss 7.5epss 0.01
The "PayWinner" function of a simplelottery smart contract implementation for The Ethereum Lottery, an Ethereum gambling game, generates a random value with publicly readable variable "maxTickets" (which is private, yet predictable and readable by the eth.getStorageAt function).…
- risk 0.49cvss 7.5epss 0.02
The maxRandom function of a smart contract implementation for All For One, an Ethereum gambling game, generates a random value with publicly readable variables because the _seed value can be retrieved with a getStorageAt call. Therefore, it allows attackers to always win and get…
- risk 0.49cvss 7.5epss 0.01
The endCoinFlip function and throwSlammer function of the smart contract implementations for Cryptogs, an Ethereum game, generate random numbers with an old block's hash. Therefore, attackers can predict the random number and always win the game.
- risk 0.49cvss 7.5epss 0.01
The _addguess function of a simplelottery smart contract implementation for 1000 Guess, an Ethereum gambling game, generates a random value with publicly readable variables such as the current block information and a private variable (which can be read with a getStorageAt call).…
- risk 0.49cvss 7.5epss 0.03
The Bitcoin Proof-of-Work algorithm does not consider a certain attack methodology related to 80-byte block headers with a variety of initial 64-byte chunks followed by the same 16-byte chunk, multiple candidate root values ending with the same 4 bytes, and calculations…