VYPR

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

BaseDraftLikelihood: Medium

Description

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (109)

page 6 of 6
  • CVE-2019-10754Sep 23, 2019
    risk 0.00cvss epss 0.02

    Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.

  • CVE-2019-16303Sep 13, 2019
    risk 0.00cvss epss 0.04

    A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute…

  • CVE-2019-7860Aug 2, 2019
    risk 0.00cvss epss 0.01

    A cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

  • CVE-2019-7855Aug 2, 2019
    risk 0.00cvss epss 0.01

    A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation.

  • CVE-2019-11842May 9, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.

  • CVE-2019-11808May 7, 2019
    risk 0.00cvss epss 0.01

    Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the…

  • CVE-2018-15795Nov 13, 2018
    risk 0.00cvss epss 0.01

    Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker's UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service.

  • CVE-2014-2362Jul 24, 2014
    risk 0.00cvss epss 0.02

    OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

  • CVE-2014-3503Jul 11, 2014
    risk 0.00cvss epss 0.06

    Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.