Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-334 (随机数的空间太小) — Vulnerability Class 10

10 vulnerabilities classified as CWE-334 (随机数的空间太小). AI Chinese analysis included.

CWE-334 represents a cryptographic weakness where the entropy of generated random values is insufficient for the intended security context. This deficiency arises when the algorithm’s output space is too small, often due to poor seeding or limited bit-width, rendering the values predictable. Attackers typically exploit this by performing brute-force or statistical analysis attacks to guess the correct value, thereby bypassing authentication mechanisms, session identifiers, or cryptographic keys. To mitigate this risk, developers must employ cryptographically secure pseudo-random number generators (CSPRNGs) that provide adequate entropy. It is crucial to ensure that the random number generator is properly seeded with high-entropy sources and that the resulting values meet the minimum length requirements specified by current cryptographic standards, ensuring resistance against exhaustive search attempts.

MITRE CWE Description
The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.
Common Consequences (1)
Access Control, OtherBypass Protection Mechanism, Other
An attacker could easily guess the values used. This could lead to unauthorized access to a system if the seed is used for authentication and authorization.
Mitigations (1)
Architecture and Design, RequirementsUse products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
Examples (1)
The following XML example code is a deployment descriptor for a Java web application deployed on a Sun Java Application Server. This deployment descriptor includes a session configuration property for configuring the session ID length.
<sun-web-app> ... <session-config> <session-properties> <property name="idLengthBytes" value="8"> <description>The number of bytes in this web module's session ID.</description> </property> </session-properties> </session-config> ... </sun-web-app>
Bad · XML
CVE IDTitleCVSSSeverityPublished
CVE-2025-3895 Low token entropy in MegaBIP — MegaBIP 7.4AIHighAI2025-05-23
CVE-2024-52616 Avahi: avahi wide-area dns predictable transaction ids 5.3 Medium2024-11-21
CVE-2023-6951 DJI Mavic和Matrice 安全漏洞 — Mavic 3 Pro 6.6 Medium2024-04-02
CVE-2022-24402 Intentionally weakened effective strength in TETRA TEA1 — TETRA Standard 8.8 High2023-10-19
CVE-2023-39979 MXsecurity Authentication Bypass — MXsecurity Series 9.8 Critical2023-09-02
CVE-2022-20941 Cisco Firepower Management Center 安全特征问题漏洞 — Cisco Firepower Management Center 5.3 Medium2022-11-10
CVE-2022-33707 Samsung Find My Mobile 安全特征问题漏洞 — FindMyMobile 5.3 -2022-07-11
CVE-2022-22517 Communication Components in multiple CODESYS products vulnerable to communication channel disruption — CODESYS Control RTE (SL) 7.5 High2022-04-07
CVE-2021-21955 Eufy Anker Eufy Homebase 授权问题漏洞 — Anker 7.5 -2021-12-09
CVE-2020-7566 Schneider Electric Modicon M221 安全漏洞 — Modicon M221, all references, all versions 7.3 -2020-11-19

Vulnerabilities classified as CWE-334 (随机数的空间太小) represent 10 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.