Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-331 (信息熵不充分) — Vulnerability Class 51

51 vulnerabilities classified as CWE-331 (信息熵不充分). AI Chinese analysis included.

CWE-331 represents a cryptographic weakness where an algorithm generates insufficient entropy, resulting in predictable patterns or clusters of values rather than true randomness. This flaw is typically exploited by attackers who analyze the output to identify statistical biases, allowing them to predict future keys or session tokens with significantly higher probability than chance. By compromising the unpredictability of security mechanisms, adversaries can bypass authentication, decrypt sensitive data, or forge identities. To avoid this vulnerability, developers must ensure their random number generators are seeded with high-quality entropy sources, such as hardware-based noise generators or operating system-provided secure random functions. Relying on deterministic algorithms or low-entropy inputs like timestamps alone is insufficient; instead, implementing cryptographically secure pseudo-random number generators (CSPRNGs) that meet established statistical randomness standards is essential for maintaining robust security integrity.

MITRE CWE Description
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Common Consequences (1)
Access Control, OtherBypass Protection Mechanism, Other
An attacker could guess the random numbers generated and could gain unauthorized access to a system if the random numbers are used for authentication and authorization.
Mitigations (1)
ImplementationDetermine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.
Examples (2)
This code generates a unique random identifier for a user's session.
function generateSessionID($userID){ srand($userID); return rand(); }
Bad · PHP
The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.
String GenerateReceiptURL(String baseUrl) { Random ranGen = new Random(); ranGen.setSeed((new Date()).getTime()); return(baseUrl + ranGen.nextInt(400000000) + ".html"); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2023-31176 Insufficient entropy vulnerability could lead to authentication bypass — SEL-451 7.5 High2023-11-30
CVE-2023-34973 QTS, QuTS hero — QTS 3.1 Low2023-08-24
CVE-2023-4344 Broadcom RAID Controller web interface is vulnerable to insufficient randomness due to improper use of ssl.rnd to setup CIM connection — LSI Storage Authority (LSA) 5.3 -2023-08-15
CVE-2023-36610 Ovarro TBox RTUs 安全特征问题漏洞 — TBox MS-CPU32 5.9 Medium2023-07-03
CVE-2022-43755 Rancher: Non-random authentication token — Rancher 7.1 High2023-02-07
CVE-2021-4240 phpservermon User.php generatePasswordResetToken predictable algorithm in random number generator — phpservermon 2.6 Low2022-11-15
CVE-2021-4241 phpservermon User.php setUserLoggedIn predictable algorithm in random number generator — phpservermon 2.6 Low2022-11-15
CVE-2022-34746 Zyxel GS1900 安全特征问题特征问题漏洞 — Zyxel GS1900 series firmware 5.9 Medium2022-09-20
CVE-2022-37401 Apache OpenOffice Weak Master Keys — Apache OpenOffice 8.8 -2022-08-13
CVE-2020-29508 Dell BSAFE Micro Edition Suite和Dell BSAFE 输入验证错误漏洞 — Dell BSAFE Micro Edition Suite 5.3 Medium2022-07-11
CVE-2020-29505 Dell BSAFE Micro Edition Suite和Dell BSAFE 安全特征问题漏洞 — Dell BSAFE Crypto-C Micro Edition 7.1 High2022-07-11
CVE-2022-33738 OpenVPN 安全特征问题漏洞 — OpenVPN Access Server 7.5 -2022-07-06
CVE-2021-36294 Dell Vnx2 Oe For File 安全特征问题漏洞 — VNX Control Station 9.8 Critical2022-01-25
CVE-2021-36320 Dell Networking X-Series 安全特征问题漏洞 — Networking X-Series 7.5 High2021-11-20
CVE-2021-22727 EVlink City、EVlink Parking和EVlink Smart Wallbox 安全特征问题漏洞 — EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) 9.8 -2021-07-21
CVE-2021-3505 Archlinux libtpms 安全特征问题漏洞 — libtpms 5.5 -2021-04-19
CVE-2020-1773 Session / Password / Password token leak — ((OTRS)) Community Edition 7.3 High2020-03-27
CVE-2017-2626 X.org X Server 安全特征问题漏洞 — libICE 7.1 -2018-07-27
CVE-2017-2625 libXdmcp 安全特征问题漏洞 — libXdmcp 7.1 -2018-07-27
CVE-2017-13992 LOYTEC LVIS-3ME 安全漏洞 — LOYTEC LVIS-3ME 8.1 -2017-10-05
CVE-2012-4687 Post Oak Bluetooth Traffic Systems Insufficient Entropy — AWAM Bluetooth Reader Traffic System 6.8 -2012-12-08

Vulnerabilities classified as CWE-331 (信息熵不充分) represent 51 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.