目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-341 从可观察状态的可预测 类漏洞列表 10

CWE-341 从可观察状态的可预测 类弱点 10 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-341 属于可预测状态漏洞,指攻击者通过观察系统或网络的当前状态(如时间戳、进程ID等),推断出原本应不可预测的数值或对象。攻击者常利用此弱点预测会话令牌或加密密钥,从而实施会话劫持或权限提升。开发者应避免使用基于时间或进程ID等易观测变量的随机数生成器,转而采用密码学安全的伪随机数生成器(CSPRNG),确保生成的值具有足够的熵且不可预测。

MITRE CWE 官方描述
CWE:CWE-341 Predictable from Observable State(可预测性源于可观察状态) 英文:基于攻击者对系统或网络状态(如时间、进程 ID 等)所能做出的观察,某个数字或对象是可预测的。
常见影响 (1)
OtherVaries by Context
This weakness could be exploited by an attacker in a number ways depending on the context. If a predictable number is used to generate IDs or keys that are used within protection mechanisms, then an attacker could gain unauthorized access to the system. If predictable filenames are used for storing …
缓解措施 (3)
ImplementationIncrease the entropy used to seed a PRNG.
Architecture and Design, RequirementsUse products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
ImplementationUse a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.
代码示例 (1)
This code generates a unique random identifier for a user's session.
function generateSessionID($userID){ srand($userID); return rand(); }
Bad · PHP
CVE ID标题CVSS风险等级Published
CVE-2026-42365 GeoVision LPC2011/LPC2211 Web界面可猜解会话Cookie漏洞 — GV-LPC2011/LPC2211 8.6 High2026-05-04
CVE-2025-40780 ISC BIND 9 安全漏洞 — BIND 9 8.6 High2025-10-22
CVE-2025-42925 SAP NetWeaver AS Java 安全漏洞 — SAP NetWeaver AS Java (IIOP Service) 4.3 Medium2025-09-09
CVE-2024-10141 COCO Annotator 安全漏洞 — COCO Annotator 3.7 Low2024-10-19
CVE-2023-49259 Hongdian Router H8951-4G-ESP 安全漏洞 — H8951-4G-ESP 5.3 -2024-01-12
CVE-2021-4277 utils 安全特征问题漏洞 — utils 2.6 Low2022-12-25
CVE-2020-5365 Dell EMC Isilon OneFS 安全特征问题漏洞 — Isilon OneFS 5.3 Medium2020-05-20
CVE-2020-1731 Red Hat Keycloak operator 安全漏洞 — keycloak 9.1 Critical2020-03-02
CVE-2019-6563 多款Moxa产品信息泄露漏洞 — Moxa IKS, EDS 9.8 -2019-03-05
CVE-2018-17917 Xiongmai XMeye P2P Cloud Server 安全漏洞 — XMeye P2P Cloud Server 5.3 -2018-10-10

CWE-341(从可观察状态的可预测) 是常见的弱点类别,本平台收录该类弱点关联的 10 条 CVE 漏洞。