Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-330 (使用不充分的随机数) — Vulnerability Class 112

112 vulnerabilities classified as CWE-330 (使用不充分的随机数). AI Chinese analysis included.

CWE-330 represents a critical weakness where software relies on predictable or insufficiently random values within security-sensitive contexts, such as session token generation or cryptographic key creation. Attackers typically exploit this flaw by analyzing patterns in the generated values to predict future outputs, thereby bypassing authentication mechanisms or hijacking active user sessions. This vulnerability often stems from the misuse of standard pseudo-random number generators that lack cryptographic security properties. To mitigate this risk, developers must employ cryptographically secure pseudo-random number generators (CSPRNGs) that are specifically designed to resist prediction even if previous outputs are known. Additionally, ensuring proper seeding with high-entropy sources and avoiding custom randomization algorithms are essential practices for maintaining the integrity of security-dependent operations.

MITRE CWE Description
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Common Consequences (3)
Confidentiality, OtherOther
When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key.
Access Control, OtherBypass Protection Mechanism, Other
If product relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the…
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key.
Mitigations (3)
Architecture and DesignUse a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds. In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts. Pseudo-random number generators can produce…
ImplementationConsider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.
Architecture and Design, RequirementsUse products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
Examples (2)
This code attempts to generate a unique random identifier for a user's session.
function generateSessionID($userID){ srand($userID); return rand(); }
Bad · PHP
The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.
String GenerateReceiptURL(String baseUrl) { Random ranGen = new Random(); ranGen.setSeed((new Date()).getTime()); return(baseUrl + ranGen.nextInt(400000000) + ".html"); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2023-29332 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability — Azure Kubernetes Service 7.5 High2023-09-12
CVE-2023-41879 Magento LTS's guest order "protect code" can be brute-forced too easily — magento-lts 7.5 High2023-09-11
CVE-2023-34353 Open Automation Software OAS Platform 安全特征问题漏洞 — OAS Platform 7.5 High2023-09-05
CVE-2023-26451 Open-Xchange AppSuite 安全特征问题漏洞 — OX App Suite 7.5 High2023-08-02
CVE-2023-3803 Chengdu Flash Flood Disaster Monitoring and Warning System File Name ImageStationDataService.asmx random values — Flash Flood Disaster Monitoring and Warning System 2.6 Low2023-07-21
CVE-2023-20185 Cisco Nexus 9000 Series Fabric Switches 加密问题漏洞 — Cisco NX-OS System Software in ACI Mode 7.4 High2023-07-12
CVE-2022-43485 Insecure random number used for generating keys for signing Jwt tokens — OneWireless 6.2 Medium2023-05-30
CVE-2023-31147 Insufficient randomness in generation of DNS query IDs in c-ares — c-ares 5.9 Medium2023-05-25
CVE-2023-31124 AutoTools does not set CARES_RANDOM_FILE during cross compilation — c-ares 3.7 Low2023-05-25
CVE-2023-1385 Amazon Fire TV Stick 安全特征问题漏洞 — Fire TV Stick 3rd gen 7.1 High2023-05-03
CVE-2023-2418 Konga Login API random values — Konga 3.1 Low2023-04-29
CVE-2023-30797 Insecure Random Generation in Netflix Lemur — Lemur 7.5 High2023-04-19
CVE-2022-43636 TP-LINK TL-WR940N 安全特征问题漏洞 — TL-WR940N 8.8 -2023-03-29
CVE-2022-26080 Easily guessable session ID's in NE843 Pulsar Plus Controller — Pulsar Plus System Controller NE843_S 6.3 Medium2023-03-16
CVE-2022-39216 Combodo iTop's weak password reset token leads to account takeover — iTop 7.4 High2023-03-14
CVE-2022-43501 KASAGO IPv6/v4 Dual 安全特征问题漏洞 — Kasago IPv6/v4 Dual 8.2 -2023-02-10
CVE-2023-22601 InHand Networks InRouter302 安全特征问题漏洞 — InRouter 302 10.0 Critical2023-01-12
CVE-2019-25089 Morgawr Muon handler.clj random values — Muon 3.1 Low2022-12-27
CVE-2021-4248 kapetan dns Request.cs entropy — dns 5.6 Medium2022-12-18
CVE-2022-46353 Siemens SCALANCE Series 安全特征问题漏洞 — SCALANCE X204RNA (HSR) 7.5 -2022-12-13
CVE-2022-3959 drogon Session Hash small space of random values — drogon 3.1 Low2022-11-11
CVE-2022-42787 Wiesemann & Theis: Small number space for allocating session id in Com-Server family — Com-Server LC 8.8 High2022-11-10
CVE-2022-31008 Predictable credential obfuscation seed value used in rabbitmq-server — rabbitmq-server 5.5 Medium2022-10-06
CVE-2022-1615 Samba 安全特征问题漏洞 — Samba 7.5 -2022-09-01
CVE-2022-36045 Account takeover via cryptographically weak PRNG in NodeBB Forum — NodeBB 9.0 Critical2022-08-31
CVE-2022-37400 Apache OpenOffice Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password — Apache OpenOffice 6.5 -2022-08-13
CVE-2022-26647 Siemens SCALANCE 安全特征问题特征问题漏洞 — SCALANCE X200-4P IRT 8.8 High2022-07-12
CVE-2020-35163 Dell BSAFE 安全特征问题漏洞 — Dell BSAFE Crypto-C Micro Edition 5.3 Medium2022-07-11
CVE-2022-31034 Insecure entropy in argo-cd — argo-cd 8.3 High2022-06-27
CVE-2022-26071 F5 BIG-IP 安全特征问题漏洞 — BIG-IP 7.4 High2022-05-05

Vulnerabilities classified as CWE-330 (使用不充分的随机数) represent 112 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.