Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-331 (信息熵不充分) — Vulnerability Class 51

51 vulnerabilities classified as CWE-331 (信息熵不充分). AI Chinese analysis included.

CWE-331 represents a cryptographic weakness where an algorithm generates insufficient entropy, resulting in predictable patterns or clusters of values rather than true randomness. This flaw is typically exploited by attackers who analyze the output to identify statistical biases, allowing them to predict future keys or session tokens with significantly higher probability than chance. By compromising the unpredictability of security mechanisms, adversaries can bypass authentication, decrypt sensitive data, or forge identities. To avoid this vulnerability, developers must ensure their random number generators are seeded with high-quality entropy sources, such as hardware-based noise generators or operating system-provided secure random functions. Relying on deterministic algorithms or low-entropy inputs like timestamps alone is insufficient; instead, implementing cryptographically secure pseudo-random number generators (CSPRNGs) that meet established statistical randomness standards is essential for maintaining robust security integrity.

MITRE CWE Description
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Common Consequences (1)
Access Control, OtherBypass Protection Mechanism, Other
An attacker could guess the random numbers generated and could gain unauthorized access to a system if the random numbers are used for authentication and authorization.
Mitigations (1)
ImplementationDetermine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.
Examples (2)
This code generates a unique random identifier for a user's session.
function generateSessionID($userID){ srand($userID); return rand(); }
Bad · PHP
The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.
String GenerateReceiptURL(String baseUrl) { Random ranGen = new Random(); ranGen.setSeed((new Date()).getTime()); return(baseUrl + ranGen.nextInt(400000000) + ".html"); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-2336 Weak webstax_auth Cookie Authentication Allows Privilege Escalation — IStaX 8.8AIHighAI2026-04-16
CVE-2026-41080 libexpat 安全漏洞 — libexpat 2.9 Low2026-04-16
CVE-2026-34236 Auth0 PHP SDK Insufficient Entropy in Cookie Encryption — auth0-PHP 8.2 High2026-04-01
CVE-2026-2878 Insufficient Entropy Vulnerability in Telerik UI for ASP.NET AJAX — Telerik UI for ASP.NET AJAX 5.3 Medium2026-02-25
CVE-2025-0577 Glibc: vdso getrandom acceleration may return predictable randomness 4.8 Medium2026-02-18
CVE-2026-2541 Micca KE700 Brute-force vulnerability due to low entropy — Car Alarm System KE700 9.8AICriticalAI2026-02-15
CVE-2025-7432 DPA countermeasures not reseeded under certain conditions — Simplicity SDK 6.5AIMediumAI2026-02-09
CVE-2026-1814 Rapid7 Nexpose Insecure Java Keystore Password Generation — InsightVM/Nexpose 9.1AICriticalAI2026-02-03
CVE-2025-13399 Insecure Encryption in Communication with the Web Interface on TP-Link VX800v — VX800v v1.0 6.8AIMediumAI2026-01-29
CVE-2026-22698 RustCrypto SM2-PKE has 32-bit Biased Nonce Vulnerability — elliptic-curves 7.5 -2026-01-10
CVE-2020-36925 Arteco Web Client DVR/NVR Session ID Brute Force Authentication Bypass — Arteco Web Client DVR/NVR 9.8 Critical2026-01-06
CVE-2025-15387 QNO Technology|VPN Firewall - Insufficient Entropy — VPN Firewall 8.8 High2025-12-31
CVE-2025-67504 WBCE CMS has Weak Random Number Generator in Password Generation Function — WBCE_CMS 9.1 Critical2025-12-09
CVE-2025-14261 Lack of entropy allows registered low-privileged users of Litmus to crack valid JWT tokens and gain admin privileges — litmus 7.1 High2025-12-08
CVE-2025-32898 KDE Connect 安全特征问题漏洞 — KDE Connect verification-code protocol 4.7 Medium2025-12-05
CVE-2025-62774 Mercku M6a 安全特征问题漏洞 — M6a 3.1 Low2025-10-22
CVE-2025-59015 Insufficient Entropy in Password Generation — TYPO3 CMS 9.8AICriticalAI2025-09-09
CVE-2025-54885 Thinbus generates insufficient entropy: 252 bits vs minimum 256 bits — thinbus-srp-npm 9.1AICriticalAI2025-08-07
CVE-2025-50122 Schneider Electric EcoStruxure IT Data Center Expert 安全特征问题漏洞 — EcoStruxure™ IT Data Center Expert 9.8AICriticalAI2025-07-11
CVE-2025-6931 D-Link DCS-6517/DCS-7517 Root Password Generation httpd generate_pass_from_mac entropy — DCS-6517 3.7 Low2025-06-30
CVE-2025-52464 Meshtastic Repeated Public and Private Keypairs — firmware 6.5AIMediumAI2025-06-19
CVE-2025-47781 Rallly Insufficient Password Login Token Entropy Leads to Account Takeover — rallly 9.8 Critical2025-05-14
CVE-2024-9055 DPA Countermeasures need reseeding — Simplicity SDK 4.2 Medium2025-03-17
CVE-2024-8796 Insufficient Default OTP Shared Secret Length — devise-two-factor 5.3 Medium2024-09-17
CVE-2024-38270 Zyxel GS1900 安全特征问题漏洞 — GS1900-10HP firmware 5.3 Medium2024-09-10
CVE-2024-6508 Openshift-console: oauth2 insufficient state parameter entropy 8.0 High2024-08-21
CVE-2024-36400 nano-id is unable to generate the correct character set — nano-id 9.4 Critical2024-06-04
CVE-2023-49599 WWBN AVideo 安全特征问题漏洞 — AVideo 9.8 Critical2024-01-10
CVE-2023-46648 Insufficient Entropy in GitHub Enterprise Server Management Console Invitation Token — Enterprise Server 8.3 High2023-12-21
CVE-2023-26154 PubNub 安全漏洞 — pubnub 5.9 Medium2023-12-06

Vulnerabilities classified as CWE-331 (信息熵不充分) represent 51 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.