CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Description
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (109)
page 6 of 6| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-10754 | — | 0.00 | — | 0.02 | Sep 23, 2019 | Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. | ||
| CVE-2019-16303 | — | 0.00 | — | 0.04 | Sep 13, 2019 | A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute… | ||
| CVE-2019-7860 | 0.00 | — | 0.01 | Aug 2, 2019 | A cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||
| CVE-2019-7855 | 0.00 | — | 0.01 | Aug 2, 2019 | A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation. | |||
| CVE-2019-11842 | — | 0.00 | — | 0.02 | May 9, 2019 | An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID. | ||
| CVE-2019-11808 | — | 0.00 | — | 0.01 | May 7, 2019 | Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the… | ||
| CVE-2018-15795 | 0.00 | — | 0.01 | Nov 13, 2018 | Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker's UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service. | |||
| CVE-2014-2362 | 0.00 | — | 0.02 | Jul 24, 2014 | OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation. | |||
| CVE-2014-3503 | 0.00 | — | 0.06 | Jul 11, 2014 | Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack. |
- CVE-2019-10754Sep 23, 2019risk 0.00cvss —epss 0.02
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
- CVE-2019-16303Sep 13, 2019risk 0.00cvss —epss 0.04
A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute…
- CVE-2019-7860Aug 2, 2019risk 0.00cvss —epss 0.01
A cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
- CVE-2019-7855Aug 2, 2019risk 0.00cvss —epss 0.01
A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation.
- CVE-2019-11842May 9, 2019risk 0.00cvss —epss 0.02
An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.
- CVE-2019-11808May 7, 2019risk 0.00cvss —epss 0.01
Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the…
- CVE-2018-15795Nov 13, 2018risk 0.00cvss —epss 0.01
Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker's UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service.
- CVE-2014-2362Jul 24, 2014risk 0.00cvss —epss 0.02
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.
- CVE-2014-3503Jul 11, 2014risk 0.00cvss —epss 0.06
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.