CWE-331
AllowedInsufficient Entropy
Abstraction: Base · Status: Draft
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
207 vulnerabilities reference this CWE, most recent first.
GHSA-W3R9-MWPJ-G2C7
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2026-06-05 00:31A Predictable Value Range from Previous Values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected products generate insufficiently random TCP initial sequence numbers that may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections.
{
"affected": [],
"aliases": [
"CVE-2017-6030"
],
"database_specific": {
"cwe_ids": [
"CWE-331",
"CWE-343"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-30T03:29:00Z",
"severity": "MODERATE"
},
"details": "A Predictable Value Range from Previous Values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected products generate insufficiently random TCP initial sequence numbers that may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections.",
"id": "GHSA-w3r9-mwpj-g2c7",
"modified": "2026-06-05T00:31:34Z",
"published": "2022-05-13T01:04:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6030"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2017/icsa-17-089-02.json"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97254"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-W3WC-44P4-M4J7
Vulnerability from github – Published: 2026-04-01 20:29 – Updated: 2026-04-01 20:29Impact
In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
Am I Affected?
Consumers are affected if their application meets the following preconditions: - Their application is using the Auth0-PHP SDK, versions between 8.0.0 and 8.18.0 - Their application is using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: - Auth0/symfony, - Auth0/laravel0-auth0, or - Auth0/wordpress
Resolution
Upgrade Auth0/Auth0-PHP to version 8.19.0 or greater.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.18.0"
},
"package": {
"ecosystem": "Packagist",
"name": "auth0/auth0-php"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.19.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34236"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T20:29:26Z",
"nvd_published_at": "2026-04-01T18:16:30Z",
"severity": "HIGH"
},
"details": "### Impact\nIn applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.\n\n### Am I Affected?\nConsumers are affected if their application meets the following preconditions:\n- Their application is using the Auth0-PHP SDK, versions between 8.0.0 and 8.18.0\n- Their application is using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK:\n - Auth0/symfony,\n - Auth0/laravel0-auth0, or\n - Auth0/wordpress\n\n### Resolution\nUpgrade Auth0/Auth0-PHP to version 8.19.0 or greater.",
"id": "GHSA-w3wc-44p4-m4j7",
"modified": "2026-04-01T20:29:43Z",
"published": "2026-04-01T20:29:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34236"
},
{
"type": "PACKAGE",
"url": "https://github.com/auth0/auth0-PHP"
},
{
"type": "WEB",
"url": "https://github.com/auth0/auth0-PHP/releases/tag/8.19.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Auth0 PHP SDK has Insufficient Entropy in Cookie Encryption"
}
GHSA-W3XP-RQX4-CH6M
Vulnerability from github – Published: 2026-01-06 18:31 – Updated: 2026-01-06 18:31Arteco Web Client DVR/NVR contains a session hijacking vulnerability with insufficient session ID complexity that allows remote attackers to bypass authentication. Attackers can brute force session IDs within a specific numeric range to obtain valid sessions and access live camera streams without authorization.
{
"affected": [],
"aliases": [
"CVE-2020-36925"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-06T16:15:50Z",
"severity": "HIGH"
},
"details": "Arteco Web Client DVR/NVR contains a session hijacking vulnerability with insufficient session ID complexity that allows remote attackers to bypass authentication. Attackers can brute force session IDs within a specific numeric range to obtain valid sessions and access live camera streams without authorization.",
"id": "GHSA-w3xp-rqx4-ch6m",
"modified": "2026-01-06T18:31:35Z",
"published": "2026-01-06T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36925"
},
{
"type": "WEB",
"url": "https://cxsecurity.com/issue/WLB-2020120170"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/193750"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/194139"
},
{
"type": "WEB",
"url": "https://packetstorm.news/files/id/160718"
},
{
"type": "WEB",
"url": "https://www.arteco-global.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49348"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/arteco-web-client-dvrnvr-session-id-brute-force-authentication-bypass"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5613.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W6PF-CX8P-259Q
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2025-04-20 03:36Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation.
{
"affected": [],
"aliases": [
"CVE-2016-2564"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-23T15:59:00Z",
"severity": "MODERATE"
},
"details": "Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation.",
"id": "GHSA-w6pf-cx8p-259q",
"modified": "2025-04-20T03:36:30Z",
"published": "2022-05-13T01:26:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2564"
},
{
"type": "WEB",
"url": "https://invisionpower.com/release-notes/419-r37"
},
{
"type": "WEB",
"url": "https://medium.com/%40iancarroll/bypassing-authentication-in-invision-power-board-with-cve-2016-2564-9a24ea3655f9"
},
{
"type": "WEB",
"url": "https://medium.com/@iancarroll/bypassing-authentication-in-invision-power-board-with-cve-2016-2564-9a24ea3655f9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W8CC-3H7Q-JHC3
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2025-12-05 19:37An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0-rc1"
},
{
"fixed": "4.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0-rc1"
},
{
"fixed": "4.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-18883"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-05T19:37:33Z",
"nvd_published_at": "2020-06-19T19:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.",
"id": "GHSA-w8cc-3h7q-jhc3",
"modified": "2025-12-05T19:37:33Z",
"published": "2022-05-24T17:21:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18883"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider"
}
GHSA-WM67-CJ4W-P69M
Vulnerability from github – Published: 2026-05-21 21:30 – Updated: 2026-05-22 00:31Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand.
Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
{
"affected": [],
"aliases": [
"CVE-2026-46473"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-21T19:16:53Z",
"severity": "HIGH"
},
"details": "Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand.\n\nSecrets were generated using Perl\u0027s built-in rand function, which is predictable and unsuitable for security usage.",
"id": "GHSA-wm67-cj4w-p69m",
"modified": "2026-05-22T00:31:15Z",
"published": "2026-05-21T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46473"
},
{
"type": "WEB",
"url": "https://github.com/tchatzi/Authen-TOTP/commit/d04f30cc6538d77fc6b6d550da450cf3017b8561.patch"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/TCHATZI/Authen-TOTP-0.1.1/changes"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WQCC-QF63-C2X4
Vulnerability from github – Published: 2024-01-10 18:30 – Updated: 2025-11-04 22:11An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted series of HTTP requests can lead to privilege escalation. An attacker can gather system information via HTTP requests and bruteforce the salt offline, leading to forging a legitimate password recovery code for the admin user.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-49599"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-12T23:23:08Z",
"nvd_published_at": "2024-01-10T16:15:48Z",
"severity": "CRITICAL"
},
"details": "An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted series of HTTP requests can lead to privilege escalation. An attacker can gather system information via HTTP requests and bruteforce the salt offline, leading to forging a legitimate password recovery code for the admin user.",
"id": "GHSA-wqcc-qf63-c2x4",
"modified": "2025-11-04T22:11:50Z",
"published": "2024-01-10T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49599"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/15fed957fb64b4055158acfc449bd7974346edb5"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1900"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "WWBN AVideo Insufficient Entropy vulnerbaility"
}
GHSA-WQX8-R5JG-36W6
Vulnerability from github – Published: 2026-02-25 15:31 – Updated: 2026-02-26 15:30In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering.
{
"affected": [],
"aliases": [
"CVE-2026-2878"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-25T15:20:54Z",
"severity": "MODERATE"
},
"details": "In Progress\u00ae Telerik\u00ae UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering.",
"id": "GHSA-wqx8-r5jg-36w6",
"modified": "2026-02-26T15:30:29Z",
"published": "2026-02-25T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2878"
},
{
"type": "WEB",
"url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-insufficient-entropy-cve-2026-2878"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WV95-5RRJ-GJM9
Vulnerability from github – Published: 2021-11-21 00:00 – Updated: 2024-02-27 18:59Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially hijack a session and access the webserver by forging the session ID.
{
"affected": [],
"aliases": [
"CVE-2021-36320"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-20T02:15:00Z",
"severity": "CRITICAL"
},
"details": "Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially hijack a session and access the webserver by forging the session ID.",
"id": "GHSA-wv95-5rrj-gjm9",
"modified": "2024-02-27T18:59:12Z",
"published": "2021-11-21T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36320"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000193230/dsa-2021-191-dell-networking-x-series-security-update-for-multiple-security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVXG-XMPG-QCWX
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11The DNS client in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Insufficient entropy in the DNS transaction id. The impact is: DNS cache poisoning (remote). The component is: dns_query_type(). The attack vector is: a specific DNS response packet.
{
"affected": [],
"aliases": [
"CVE-2020-25926"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-18T19:15:00Z",
"severity": "HIGH"
},
"details": "The DNS client in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Insufficient entropy in the DNS transaction id. The impact is: DNS cache poisoning (remote). The component is: dns_query_type(). The attack vector is: a specific DNS response packet.",
"id": "GHSA-wvxg-xmpg-qcwx",
"modified": "2022-05-24T19:11:29Z",
"published": "2022-05-24T19:11:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25926"
},
{
"type": "WEB",
"url": "https://www.forescout.com/blog/new-critical-operational-technology-vulnerabilities-found-on-nichestack"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/608209"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.