Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-343 (从先前值可预测取值范围) — Vulnerability Class 4

4 vulnerabilities classified as CWE-343 (从先前值可预测取值范围). AI Chinese analysis included.

CWE-343 represents a critical weakness in cryptographic systems where a pseudo-random number generator fails to maintain sufficient entropy, allowing attackers to infer the next output based on previous values. This predictability typically enables exploitation in security-sensitive contexts, such as session token generation or cryptographic key creation, where an adversary can predict future values to hijack sessions or decrypt data. Developers mitigate this risk by implementing cryptographically secure pseudo-random number generators (CSPRNGs) that are designed to be non-deterministic and resistant to state-seizing attacks. It is essential to seed these generators with high-entropy sources and avoid using standard library functions like `rand()` for security purposes. Regular auditing of random number implementation ensures that the output remains statistically indistinguishable from true randomness, thereby preventing attackers from establishing predictive patterns.

MITRE CWE Description
The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated. The output of a random number generator should not be predictable based on observations of previous values. In some cases, an attacker cannot predict the exact value that will be produced next, but can narrow down the possibilities significantly. This reduces the amount of effort to perform a brute force attack. For example, suppose the product generates random numbers between 1 and 100, but it always produces a larger value until it reaches 100. If the generator produces an 80, then the attacker knows that the next value will be somewhere between 81 and 100. Instead of 100 possibilities, the attacker only needs to consider 20.
Common Consequences (1)
OtherVaries by Context
Mitigations (3)
Increase the entropy used to seed a PRNG.
Architecture and Design, RequirementsUse products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
ImplementationUse a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.
CVE IDTitleCVSSSeverityPublished
CVE-2026-32694 Insecure Direct Object Reference attack via predictable secret ID in Juju — Juju 6.6 Medium2026-03-18
CVE-2017-6030 多款Schneider Electric Modicon产品安全特征问题漏洞 — Schneider Electric Modicon PLCs 7.3 -2017-06-30
CVE-2017-7901 多款Rockwell Automation产品安全漏洞 — Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400 9.4 -2017-06-30
CVE-2014-5409 GE Hydran M2 Predictable Value Range from Previous Values — Hydran M2, containing the 17046 Ethernet option 5.3 -2015-03-14

Vulnerabilities classified as CWE-343 (从先前值可预测取值范围) represent 4 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.