CWE-330
DiscouragedUse of Insufficiently Random Values
Abstraction: Class · Status: Stable
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
445 vulnerabilities reference this CWE, most recent first.
GHSA-V2R2-7QM7-JJ6V
Vulnerability from github – Published: 2019-04-16 15:10 – Updated: 2022-11-17 19:45Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-core"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-core"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-core"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "5.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-3795"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:56:26Z",
"nvd_published_at": "2019-04-09T16:29:00Z",
"severity": "MODERATE"
},
"details": "Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.",
"id": "GHSA-v2r2-7qm7-jj6v",
"modified": "2022-11-17T19:45:44Z",
"published": "2019-04-16T15:10:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3795"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-v2r2-7qm7-jj6v"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00026.html"
},
{
"type": "WEB",
"url": "https://pivotal.io/security/cve-2019-3795"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107802"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spring Security uses insufficiently random values"
}
GHSA-V589-JQPW-96MW
Vulnerability from github – Published: 2023-03-31 18:30 – Updated: 2023-04-07 18:30Akuvox E11 contains a function that encrypts messages which are then forwarded. The IV vector and the key are static, and this may allow an attacker to decrypt messages.
{
"affected": [],
"aliases": [
"CVE-2023-0343"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-31T16:15:00Z",
"severity": "HIGH"
},
"details": "Akuvox E11 contains a function that encrypts messages which are then forwarded. The IV vector and the key are static, and this may allow an attacker to decrypt messages.",
"id": "GHSA-v589-jqpw-96mw",
"modified": "2023-04-07T18:30:50Z",
"published": "2023-03-31T18:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0343"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-068-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V6RC-95XW-8XP5
Vulnerability from github – Published: 2026-07-05 03:32 – Updated: 2026-07-06 15:30Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery.
"Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values."
An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack.
Keys used to sign with an affected version should be considered compromised and new keys should be generated.
{
"affected": [],
"aliases": [
"CVE-2026-14570"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-05T02:17:40Z",
"severity": "HIGH"
},
"details": "Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery.\n\n\"Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values.\"\n\nAn attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack.\n\nKeys used to sign with an affected version should be considered compromised and new keys should be generated.",
"id": "GHSA-v6rc-95xw-8xp5",
"modified": "2026-07-06T15:30:46Z",
"published": "2026-07-05T03:32:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14570"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.21/source/lib/Crypt/DSA/Util.pm#L56"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.22/changes"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.22/diff/TIMLEGGE/Crypt-DSA-1.21#lib/Crypt/DSA/Util.pm"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/07/05/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V6WR-FCH2-VM5W
Vulnerability from github – Published: 2018-10-18 17:41 – Updated: 2023-09-12 14:43OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 improperly relies on the java.util.Random class for generation of random Session ID values in the server/network/protocol/http/OHttpSessionManager.java, which makes it easier for remote attackers to predict a value by determining the internal state of the PRNG in this class.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.orientechnologies:orientdb-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.orientechnologies:orientdb-server"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.1.0"
]
}
],
"aliases": [
"CVE-2015-2913"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:57:02Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 improperly relies on the `java.util.Random` class for generation of random Session ID values in the `server/network/protocol/http/OHttpSessionManager.java`, which makes it easier for remote attackers to predict a value by determining the internal state of the PRNG in this class.",
"id": "GHSA-v6wr-fch2-vm5w",
"modified": "2023-09-12T14:43:49Z",
"published": "2018-10-18T17:41:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2913"
},
{
"type": "WEB",
"url": "https://github.com/orientechnologies/orientdb/commit/668ece96be210e742a4e2820a3085b215cf55104"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-v6wr-fch2-vm5w"
},
{
"type": "PACKAGE",
"url": "https://github.com/orientechnologies/orientdb"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/845332"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OrientDB Server Community Edition uses insufficiently random values to generate session IDs"
}
GHSA-V7PR-9GFG-7HPC
Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2023-07-11 15:31LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.
{
"affected": [],
"aliases": [
"CVE-2022-26306"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-25T15:15:00Z",
"severity": "HIGH"
},
"details": "LibreOffice supports the storage of passwords for web connections in the user\u2019s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user\u0027s configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.",
"id": "GHSA-v7pr-9gfg-7hpc",
"modified": "2023-07-11T15:31:08Z",
"published": "2022-07-26T00:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26306"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
},
{
"type": "WEB",
"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/08/13/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V9GV-XP36-JGJ8
Vulnerability from github – Published: 2026-06-30 16:15 – Updated: 2026-06-30 16:15Impact
Shovel and Federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret.
This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log.
Patched versions correctly use a cluster-wide secret for that purpose.
Patches
Patched versions:
3.10.23.9.183.8.32
Workarounds
Disable Shovel and Federation plugins.
Credits
RabbitMQ core team would like to thank Lajos @luos Gerecs and Anh Nguyen from Erlang Solutions for responsibly disclosing and working with us on a patch for this vulnerability.
For more information
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "rabbit_common"
},
"ranges": [
{
"events": [
{
"introduced": "3.10.0"
},
{
"fixed": "3.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Hex",
"name": "rabbit_common"
},
"ranges": [
{
"events": [
{
"introduced": "3.9.0"
},
{
"fixed": "3.9.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Hex",
"name": "rabbit_common"
},
"ranges": [
{
"events": [
{
"introduced": "3.8.0"
},
{
"fixed": "3.8.32"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31008"
],
"database_specific": {
"cwe_ids": [
"CWE-330",
"CWE-335"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T16:15:48Z",
"nvd_published_at": "2022-10-06T18:16:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nShovel and Federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt\nthe URI was seeded with a predictable secret.\n\nThis means that in case of certain exceptions related to Shovel and Federation plugins,\nreasonably easily deobfuscatable data could appear in the node log.\n\nPatched versions correctly use a cluster-wide secret for that purpose.\n\n### Patches\n\nPatched versions:\n\n * `3.10.2`\n * `3.9.18`\n * `3.8.32`\n\n### Workarounds\n\nDisable Shovel and Federation plugins.\n\n### Credits\n\nRabbitMQ core team would like to thank Lajos @luos Gerecs and Anh Nguyen from Erlang Solutions\nfor responsibly disclosing and working with us on a patch for this vulnerability.\n\n### For more information\n\n * [Mailing list](https://groups.google.com/forum/#!forum/rabbitmq-users)\n * [Community Slack](https://rabbitmq-slack.herokuapp.com/)",
"id": "GHSA-v9gv-xp36-jgj8",
"modified": "2026-06-30T16:15:48Z",
"published": "2026-06-30T16:15:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31008"
},
{
"type": "WEB",
"url": "https://github.com/rabbitmq/rabbitmq-server/pull/4841"
},
{
"type": "WEB",
"url": "https://github.com/rabbitmq/rabbitmq-server/commit/c22e1cb20e656d211e025c417d1fc75a9067b717"
},
{
"type": "PACKAGE",
"url": "https://github.com/rabbitmq/rabbitmq-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "RabbitMQ has predictable credential obfuscation seed value used in Shovel and Federation plugins"
}
GHSA-VCWC-JG96-FG4R
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44In onPackageModified of VoiceInteractionManagerService.java, there is a possible change of default applications due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-167261484
{
"affected": [],
"aliases": [
"CVE-2021-0375"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-10T16:15:00Z",
"severity": "MODERATE"
},
"details": "In onPackageModified of VoiceInteractionManagerService.java, there is a possible change of default applications due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-167261484",
"id": "GHSA-vcwc-jg96-fg4r",
"modified": "2022-05-24T17:44:06Z",
"published": "2022-05-24T17:44:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0375"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-03-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VFGX-5Q85-58Q3
Vulnerability from github – Published: 2026-03-31 23:43 – Updated: 2026-03-31 23:43Summary
The generate_pseudorandom_sequence() function in openssl_encrypt/plugins/steganography/core/utils.py at lines 89-91 uses Python's random module (Mersenne Twister) for steganographic pixel/sample selection.
Affected Code
random.seed(seed)
sequence = random.sample(range(max_value), min(length, max_value))
return sequence
Additionally, the steganography password is stored as a plain Python string (not SecureBytes) and only 8 bytes (64 bits) of the SHA-256 hash are used for the seed, reducing effective security to 64 bits.
Impact
The Mersenne Twister's state can be recovered from approximately 624 outputs. An attacker who knows or guesses the password can predict the PRNG sequence and determine exactly which pixels contain hidden data, potentially extracting the hidden data without the password.
Recommended Fix
- Use HMAC-DRBG or
secretsmodule for cryptographically secure pixel selection - Use full 32-byte SHA-256 output as seed material
- Store the password in
SecureBytesinstead of a plain string
Fix
Fixed in commit 09e96e0 on branch releases/1.4.x — replaced random.seed(hash(password)) with HMAC-SHA256 based CSPRNG (Fisher-Yates shuffle) and numpy Generator with HMAC-derived seeds across all steganography format modules.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "openssl-encrypt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-31T23:43:06Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nThe `generate_pseudorandom_sequence()` function in `openssl_encrypt/plugins/steganography/core/utils.py` at **lines 89-91** uses Python\u0027s `random` module (Mersenne Twister) for steganographic pixel/sample selection.\n\n### Affected Code\n\n```python\nrandom.seed(seed)\nsequence = random.sample(range(max_value), min(length, max_value))\nreturn sequence\n```\n\nAdditionally, the steganography password is stored as a plain Python string (not `SecureBytes`) and only 8 bytes (64 bits) of the SHA-256 hash are used for the seed, reducing effective security to 64 bits.\n\n### Impact\n\nThe Mersenne Twister\u0027s state can be recovered from approximately 624 outputs. An attacker who knows or guesses the password can predict the PRNG sequence and determine exactly which pixels contain hidden data, potentially extracting the hidden data without the password.\n\n### Recommended Fix\n\n- Use HMAC-DRBG or `secrets` module for cryptographically secure pixel selection\n- Use full 32-byte SHA-256 output as seed material\n- Store the password in `SecureBytes` instead of a plain string\n\n### Fix\n\nFixed in commit `09e96e0` on branch `releases/1.4.x` \u2014 replaced random.seed(hash(password)) with HMAC-SHA256 based CSPRNG (Fisher-Yates shuffle) and numpy Generator with HMAC-derived seeds across all steganography format modules.",
"id": "GHSA-vfgx-5q85-58q3",
"modified": "2026-03-31T23:43:06Z",
"published": "2026-03-31T23:43:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-vfgx-5q85-58q3"
},
{
"type": "WEB",
"url": "https://github.com/jahlives/openssl_encrypt/commit/09e96e090417d34d2f533f6810d3cd4f77810101"
},
{
"type": "PACKAGE",
"url": "https://github.com/jahlives/openssl_encrypt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "openssl-encrypt has non-cryptographic PRNG used for steganography pixel selection"
}
GHSA-VGH3-QFVH-CW6Q
Vulnerability from github – Published: 2022-05-17 03:15 – Updated: 2022-05-17 03:15Johnson & Johnson Animas OneTouch Ping devices do not properly generate random numbers, which makes it easier for remote attackers to spoof meters by sniffing the network and then engaging in an authentication handshake.
{
"affected": [],
"aliases": [
"CVE-2016-5085"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-10-05T10:59:00Z",
"severity": "HIGH"
},
"details": "Johnson \u0026 Johnson Animas OneTouch Ping devices do not properly generate random numbers, which makes it easier for remote attackers to spoof meters by sniffing the network and then engaging in an authentication handshake.",
"id": "GHSA-vgh3-qfvh-cw6q",
"modified": "2022-05-17T03:15:21Z",
"published": "2022-05-17T03:15:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5085"
},
{
"type": "WEB",
"url": "https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-16-279-01"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/884840"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/BLUU-A9SQRS"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93351"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VGMM-R7WP-GMV8
Vulnerability from github – Published: 2022-03-15 00:00 – Updated: 2024-10-07 18:31The Rambus SafeZone Basic Crypto Module, as used in certain Fujifilm (formerly Fuji Xerox) devices before 2022-03-01 and potentially many other devices, generates RSA keys that can be broken with Fermat's factorization method. This allows efficient calculation of private RSA keys from the public key of a TLS certificate.
{
"affected": [],
"aliases": [
"CVE-2022-26320"
],
"database_specific": {
"cwe_ids": [
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-14T18:15:00Z",
"severity": "CRITICAL"
},
"details": "The Rambus SafeZone Basic Crypto Module, as used in certain Fujifilm (formerly Fuji Xerox) devices before 2022-03-01 and potentially many other devices, generates RSA keys that can be broken with Fermat\u0027s factorization method. This allows efficient calculation of private RSA keys from the public key of a TLS certificate.",
"id": "GHSA-vgmm-r7wp-gmv8",
"modified": "2024-10-07T18:31:00Z",
"published": "2022-03-15T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26320"
},
{
"type": "WEB",
"url": "https://fermatattack.secvuln.info"
},
{
"type": "WEB",
"url": "https://global.canon/en/support/security/index.html"
},
{
"type": "WEB",
"url": "https://safezoneswupdate.com"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20220922042721/https://safezoneswupdate.com"
},
{
"type": "WEB",
"url": "https://www.fujifilm.com/fbglobal/eng/company/news/notice/2022/0302_rsakey_announce.html"
},
{
"type": "WEB",
"url": "https://www.rambus.com/security/response-center/advisories/rmbs-2021-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds.
- In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
- Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.
Mitigation
Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.
Mitigation MIT-2
Strategy: Libraries or Frameworks
Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-485: Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.