36 vulnerabilities classified as CWE-340 (可预测问题). AI Chinese analysis included.
CWE-340 represents a critical weakness where software generates numbers or identifiers with insufficient entropy, making them predictable to attackers. This flaw typically arises when developers rely on basic pseudo-random number generators or sequential counters for security-sensitive contexts like session tokens, cryptographic keys, or access controls. Attackers exploit this by analyzing patterns or brute-forcing the predictable sequence to hijack user sessions, escalate privileges, or bypass authentication mechanisms entirely. To mitigate this risk, developers must employ cryptographically secure pseudo-random number generators (CSPRNGs) that provide high entropy and resistance to prediction. Additionally, avoiding sequential identifiers for security purposes and implementing proper randomness seeding are essential practices. By ensuring that generated values are statistically random and unpredictable, organizations can significantly reduce the attack surface associated with identifier guessing and maintain the integrity of their security controls.
function generateSessionID($userID){ srand($userID); return rand(); }| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-0218 | pgAgent scheduled batch job scripts are created in a predictable temporary directory potentially allowing a denial of service — pgAgent | 5.5 | Medium | 2025-01-07 |
| CVE-2024-12034 | Advanced Google reCAPTCHA <= 1.25 - Brute Force Protection IP Unblock — Advanced Google reCAPTCHA | 5.3 | Medium | 2024-12-24 |
| CVE-2024-52299 | The PDF viewer macro allows accessing any attachment without access right checks — macro-pdfviewer | 7.5 | High | 2024-11-13 |
| CVE-2024-47945 | Predictable Session ID — IoT Interface & CMC III Processing Unit | 8.2 | - | 2024-10-15 |
| CVE-2021-29480 | Default client side session signing key is highly predictable — ratpack | 4.4 | Medium | 2021-06-29 |
| CVE-2020-1905 | Facebook WhatsApp 安全特征问题漏洞 — WhatsApp for Android | 3.3 | - | 2020-10-06 |
Vulnerabilities classified as CWE-340 (可预测问题) represent 36 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.