目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-330 使用不充分的随机数 类漏洞列表 112

CWE-330 使用不充分的随机数 类弱点 112 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-330属于密码学相关漏洞,指在依赖不可预测数值的安全场景中使用了随机性不足的数值。攻击者通常通过分析伪随机数生成器的弱点,预测或重现关键值,从而绕过身份验证或会话管理。开发者应避免使用标准库中的伪随机函数处理敏感数据,转而采用操作系统提供的加密安全随机数生成器,并确保种子来源具备足够的熵,以保障数值不可预测性。

MITRE CWE 官方描述
CWE:CWE-330 使用不足够随机的值 (Use of Insufficiently Random Values) 英文:产品在一个依赖于不可预测数字的安全上下文中使用了不足够随机的数字或值。
常见影响 (3)
Confidentiality, OtherOther
When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key.
Access Control, OtherBypass Protection Mechanism, Other
If product relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the…
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key.
缓解措施 (3)
Architecture and DesignUse a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds. In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts. Pseudo-random number generators can produce…
ImplementationConsider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.
Architecture and Design, RequirementsUse products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
代码示例 (2)
This code attempts to generate a unique random identifier for a user's session.
function generateSessionID($userID){ srand($userID); return rand(); }
Bad · PHP
The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.
String GenerateReceiptURL(String baseUrl) { Random ranGen = new Random(); ranGen.setSeed((new Date()).getTime()); return(baseUrl + ranGen.nextInt(400000000) + ".html"); }
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2026-7847 Langchain-Chatchat 上传文件ID随机值漏洞 — Langchain-Chatchat 2.6 Low2026-05-05
CVE-2026-40975 VMware Spring Boot 安全特征问题漏洞 — Spring Boot 4.8 Medium2026-04-27
CVE-2026-40496 FreeScout 安全特征问题漏洞 — freescout 8.2AIHighAI2026-04-21
CVE-2026-40306 DNN 安全漏洞 — Dnn.Platform 5.4AIMediumAI2026-04-17
CVE-2026-33710 Chamilo LMS 安全特征问题漏洞 — chamilo-lms 7.5 High2026-04-10
CVE-2026-34511 OpenClaw 安全特征问题漏洞 — OpenClaw 5.3 Medium2026-04-03
CVE-2025-15603 Open WebUI 安全特征问题漏洞 — open-webui 3.7 Low2026-03-09
CVE-2026-25072 XikeStor SKS8310-8X 安全特征问题漏洞 — XikeStor SKS8310-8X 9.1 -2026-03-07
CVE-2026-20101 Cisco Secure Firewall Adaptive Security Appliance和Cisco Secure FTD Software 安全特征问题漏洞 — Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 8.6 High2026-03-04
CVE-2026-27755 SODOLA SL902-SWTGW124AS 安全特征问题漏洞 — SODOLA SL902-SWTGW124AS 9.8 Critical2026-02-27
CVE-2026-23999 Fleet 安全特征问题漏洞 — fleet 5.7AIMediumAI2026-02-26
CVE-2026-27637 FreeScout 安全漏洞 — freescout 9.8 Critical2026-02-25
CVE-2024-48928 Piwigo 安全特征问题漏洞 — Piwigo 7.5 -2026-02-24
CVE-2026-27515 Binardat 10G08-0800GSM 安全特征问题漏洞 — 10G08-0800GSM Network Switch 9.1 Critical2026-02-24
CVE-2026-2966 Cesanta Mongoose 安全特征问题漏洞 — Mongoose 3.7 Low2026-02-23
CVE-2025-15574 SolaX Power Pocket 安全漏洞 — Pocket WiFi 3.0 9.8AICriticalAI2026-02-12
CVE-2025-64097 NervesHub 安全特征问题漏洞 — nerves_hub_web 8.1AIHighAI2026-01-22
CVE-2025-68704 Jervis 安全特征问题漏洞 — jervis 7.5AIHighAI2026-01-13
CVE-2025-11723 WordPress plugin Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 安全特征问题漏洞 — Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 6.5 Medium2026-01-06
CVE-2025-11707 WordPress plugin Login Lockdown & Protection 安全特征问题漏洞 — Login Lockdown & Protection 5.3 Medium2025-12-13
CVE-2025-13955 EZCast Pro II 安全漏洞 — EZCast Pro II 8.1AIHighAI2025-12-10
CVE-2025-66511 Nextcloud Calendar 安全特征问题漏洞 — security-advisories 4.8 Medium2025-12-05
CVE-2025-13353 gokey 安全漏洞 — gokey 9.1AICriticalAI2025-12-02
CVE-2025-59371 ASUS Router 安全漏洞 — Router 8.8AIHighAI2025-11-25
CVE-2025-13470 RNP 安全漏洞 — RNP 7.5 High2025-11-21
CVE-2025-12787 WordPress plugin Hydra Booking — Appointment Scheduling & Booking Calendar 安全特征问题漏洞 — Hydra Booking — Appointment Scheduling & Booking Calendar 5.3 Medium2025-11-11
CVE-2025-6515 oatpp-mcp 安全特征问题漏洞 — oatpp-mcp 6.8 Medium2025-10-20
CVE-2025-10745 WordPress plugin Banhammer 安全特征问题漏洞 — Banhammer – Monitor Site Traffic, Block Bad Users and Bots 5.3 Medium2025-09-26
CVE-2025-10671 e-learning 安全特征问题漏洞 — e-learning 3.7 Low2025-09-18
CVE-2025-7783 form-data 安全漏洞 8.2 -2025-07-18

CWE-330(使用不充分的随机数) 是常见的弱点类别,本平台收录该类弱点关联的 112 条 CVE 漏洞。