VYPR

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

BaseDraftLikelihood: Medium

Description

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (109)

page 5 of 6
  • CVE-2025-2814MedApr 13, 2025
    risk 0.19cvss 4.0epss 0.00

    Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable.  In that case,…

  • CVE-2025-46653LowApr 26, 2025
    risk 0.13cvss 3.1epss 0.00

    Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters…

  • CVE-2023-31305LowAug 13, 2024
    risk 0.12cvss 1.9epss 0.00

    Generation of weak and predictable Initialization Vector (IV) in PMFW (Power Management Firmware) may allow an attacker with privileges to reuse IV values to reverse-engineer debug data, potentially resulting in information disclosure.

  • CVE-2025-66630Feb 9, 2026
    risk 0.00cvss epss 0.00

    Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application…

  • CVE-2025-66565Dec 9, 2025
    risk 0.00cvss epss 0.00

    Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID…

  • CVE-2025-59390Nov 26, 2025
    risk 0.00cvss epss 0.01

    Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure…

  • CVE-2024-29868Jun 24, 2024
    risk 0.00cvss epss 0.06

    Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's…

  • CVE-2023-48224Nov 15, 2023
    risk 0.00cvss epss 0.01

    Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides Privacy Center allows data subject users to submit privacy and consent requests to…

  • CVE-2022-23472Dec 6, 2022
    risk 0.00cvss epss 0.01

    Passeo is an open source python password generator. Versions prior to 1.0.5 rely on the python `random` library for random value selection. The python `random` library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure…

  • CVE-2022-36045Aug 31, 2022
    risk 0.00cvss epss 0.01

    NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. `utils.generateUUID`, a helper function available in essentially all versions of NodeBB (as far…

  • CVE-2022-29245May 31, 2022
    risk 0.00cvss epss 0.01

    SSH.NET is a Secure Shell (SSH) library for .NET. In versions 2020.0.0 and 2020.0.1, during an `X25519` key exchange, the client’s private key is generated with `System.Random`. `System.Random` is not a cryptographically secure random number generator, it must therefore not be…

  • CVE-2021-3990Dec 1, 2021
    risk 0.00cvss epss 0.01

    showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CVE-2021-3692Aug 10, 2021
    risk 0.00cvss epss 0.02

    yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator

  • CVE-2021-3678Aug 4, 2021
    risk 0.00cvss epss 0.01

    showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CVE-2021-3538Jun 2, 2021
    risk 0.00cvss epss 0.02

    A flaw was found in github.com/satori/go.uuid in versions from commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45. Due to insecure randomness in the g.rand.Read function the generated UUIDs are predictable for an attacker.

  • CVE-2020-35926Dec 31, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in the nanorand crate before 0.5.1 for Rust. It caused any random number generator (even ChaCha) to return all zeroes because integer truncation was mishandled.

  • CVE-2020-28924Nov 19, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was…

  • CVE-2019-19794Dec 13, 2019
    risk 0.00cvss epss 0.02

    The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.

  • CVE-2019-8113Nov 5, 2019
    risk 0.00cvss epss 0.01

    Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration.

  • CVE-2019-10755Sep 23, 2019
    risk 0.00cvss epss 0.01

    The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of…