Common Weakness Enumeration

CWE-335

Allowed

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

Abstraction: Base · Status: Draft

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

53 vulnerabilities reference this CWE, most recent first.

GHSA-5J8H-3WVC-37WP

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2024-04-04 02:51
VLAI
Details

D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-335",
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-03T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.",
  "id": "GHSA-5j8h-3wvc-37wp",
  "modified": "2024-04-04T02:51:16Z",
  "published": "2022-05-24T17:19:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13784"
    },
    {
      "type": "WEB",
      "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10174"
    },
    {
      "type": "WEB",
      "url": "https://unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-home-routers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6CV6-HF8Q-PXX2

Vulnerability from github – Published: 2024-04-29 15:30 – Updated: 2024-04-29 15:30
VLAI
Details

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Secomea GateManager (Webserver modules) allows Session Hijacking.This issue affects GateManager: before 11.2.624071020.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1579"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-335"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-29T14:15:08Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Secomea GateManager (Webserver modules) allows Session Hijacking.This issue affects GateManager: before 11.2.624071020.\n\n",
  "id": "GHSA-6cv6-hf8q-pxx2",
  "modified": "2024-04-29T15:30:30Z",
  "published": "2024-04-29T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1579"
    },
    {
      "type": "WEB",
      "url": "https://www.secomea.com/support/cybersecurity-advisory"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6FCJ-RV73-F37C

Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2024-03-25 18:30
VLAI
Details

An issue was discovered in beta versions of the 1Password command-line tool prior to 0.5.5 and in beta versions of the 1Password SCIM bridge prior to 0.7.3. An insecure random number generator was used to generate various keys. An attacker with access to the user's encrypted data may be able to perform brute-force calculations of encryption keys and thus succeed at decryption.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10256"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-335"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-27T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in beta versions of the 1Password command-line tool prior to 0.5.5 and in beta versions of the 1Password SCIM bridge prior to 0.7.3. An insecure random number generator was used to generate various keys. An attacker with access to the user\u0027s encrypted data may be able to perform brute-force calculations of encryption keys and thus succeed at decryption.",
  "id": "GHSA-6fcj-rv73-f37c",
  "modified": "2024-03-25T18:30:56Z",
  "published": "2022-05-24T17:32:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10256"
    },
    {
      "type": "WEB",
      "url": "https://support.1password.com/command-line"
    },
    {
      "type": "WEB",
      "url": "https://support.1password.com/kb/202010"
    },
    {
      "type": "WEB",
      "url": "https://support.1password.com/scim"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7542-V6GH-MFVW

Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2024-04-03 23:52
VLAI
Details

lib/libc/stdlib/random.c in OpenBSD returns 0 when seeded with 0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-1577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-335"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-10T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "lib/libc/stdlib/random.c in OpenBSD returns 0 when seeded with 0.",
  "id": "GHSA-7542-v6gh-mfvw",
  "modified": "2024-04-03T23:52:49Z",
  "published": "2022-04-23T00:40:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1577"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ensc/dietlibc/blob/master/CHANGES"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2012-1577"
    },
    {
      "type": "WEB",
      "url": "http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/random.c#rev1.16"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/03/23/14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-76MM-6XM9-HWPX

Vulnerability from github – Published: 2026-04-01 21:30 – Updated: 2026-04-01 21:30
VLAI
Details

Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in a Pseudo-Random Number Generator (PRNG).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-335"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-01T19:16:28Z",
    "severity": "HIGH"
  },
  "details": "Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in a Pseudo-Random Number Generator (PRNG).",
  "id": "GHSA-76mm-6xm9-hwpx",
  "modified": "2026-04-01T21:30:30Z",
  "published": "2026-04-01T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25835"
    },
    {
      "type": "WEB",
      "url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-rng-cloning"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7MGV-QHC8-MRRG

Vulnerability from github – Published: 2022-04-09 00:00 – Updated: 2022-04-15 00:00
VLAI
Details

Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26852"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-335"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-08T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise.",
  "id": "GHSA-7mgv-qhc8-mrrg",
  "modified": "2022-04-15T00:00:53Z",
  "published": "2022-04-09T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26852"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000197991/dell-emc-powerscale-onefs-security-update-for-multiple-component-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-82RP-XG3C-HXPX

Vulnerability from github – Published: 2022-01-29 00:00 – Updated: 2022-10-07 18:15
VLAI
Details

Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-3735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-335"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-28T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.",
  "id": "GHSA-82rp-xg3c-hxpx",
  "modified": "2022-10-07T18:15:58Z",
  "published": "2022-01-29T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3735"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Piwigo/Piwigo/issues/470,"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Piwigo/Piwigo/commit/f51ee90c66527fd7ff634f3e8d414cb670da068d"
    },
    {
      "type": "WEB",
      "url": "http://piwigo.org/release-2.8.1,"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-85QJ-2CFQ-3WP8

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-07-13 00:01
VLAI
Details

An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31922"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-335"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-14T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.",
  "id": "GHSA-85qj-2cfq-3wp8",
  "modified": "2022-07-13T00:01:25Z",
  "published": "2022-05-24T19:02:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31922"
    },
    {
      "type": "WEB",
      "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44790"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8P8F-C57X-4QW8

Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07
VLAI
Details

In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be bruteforced, leading to trivial privilege escalation attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-10908"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-335"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-07T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be bruteforced, leading to trivial privilege escalation attacks.",
  "id": "GHSA-8p8f-c57x-4qw8",
  "modified": "2022-05-13T01:07:57Z",
  "published": "2022-05-13T01:07:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10908"
    },
    {
      "type": "WEB",
      "url": "https://github.com/airsonic/airsonic/commit/61c842923a6d60d4aedd126445a8437b53b752c8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8VX9-59H6-X23V

Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10
VLAI
Details

An issue was discovered on the D-Link DWR-932B router. WPS PIN generation is based on srand(time(0)) seeding.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-10180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1241",
      "CWE-330",
      "CWE-335",
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-01-30T04:59:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered on the D-Link DWR-932B router. WPS PIN generation is based on srand(time(0)) seeding.",
  "id": "GHSA-8vx9-59h6-x23v",
  "modified": "2022-05-13T01:10:32Z",
  "published": "2022-05-13T01:10:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10180"
    },
    {
      "type": "WEB",
      "url": "https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95877"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.