{"@ID": "330", "@Name": "Use of Insufficiently Random Values", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Stable", "@Diagram": "/data/images/CWE-330-Diagram.png", "Description": "The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "693", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanPrecede", "@CWE_ID": "804", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": {"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}}, "Background_Details": {"Background_Detail": "Computers are deterministic machines, and as such are unable to produce true randomness. Pseudo-Random Number Generators (PRNGs) approximate randomness algorithmically, starting with a seed from which subsequent values are calculated. There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Cryptographic PRNGs address this problem by generating output that is more difficult to predict. For a value to be cryptographically secure, it must be impossible or highly improbable for an attacker to distinguish between it and a truly random value."}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation", "Note": "REALIZATION: This weakness is caused during implementation of an architectural security tactic."}]}, "Likelihood_Of_Exploit": "High", "Common_Consequences": {"Consequence": [{"Scope": ["Confidentiality", "Other"], "Impact": "Other", "Note": "When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key."}, {"Scope": ["Access Control", "Other"], "Impact": ["Bypass Protection Mechanism", "Other"], "Note": "If product relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the resource to the intended user. For example, a product might maintain session information in a file whose name is based on a username. An attacker could pre-create this file for a victim user, then set the permissions so that the application cannot generate the session for the victim, preventing the victim from using the application."}, {"Scope": "Access Control", "Impact": ["Bypass Protection Mechanism", "Gain Privileges or Assume Identity"], "Note": "When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key."}]}, "Detection_Methods": {"Detection_Method": [{"@Detection_Method_ID": "DM-11.4", "Method": "Black Box", "Description": {"xhtml:p": ["Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic.", "Attach the monitor to the process and look for library functions that indicate when randomness is being used. Run the process multiple times to see if the seed changes. Look for accesses of devices or equivalent resources that are commonly used for strong (or weak) randomness, such as /dev/urandom on Linux. Look for library or system calls that access predictable information such as process IDs and system time."]}}, {"Method": "Automated Static Analysis - Binary or Bytecode", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": "Cost effective for partial coverage:", "xhtml:ul": {"xhtml:li": ["Bytecode Weakness Analysis - including disassembler + source code weakness analysis", "Binary Weakness Analysis - including disassembler + source code weakness analysis"]}}}, "Effectiveness": "SOAR Partial"}, {"Method": "Manual Static Analysis - Binary or Bytecode", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": "Cost effective for partial coverage:", "xhtml:ul": {"xhtml:li": "Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies"}}}, "Effectiveness": "SOAR Partial"}, {"Method": "Dynamic Analysis with Manual Results Interpretation", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": "Cost effective for partial coverage:", "xhtml:ul": {"xhtml:li": "Man-in-the-middle attack tool"}}}, "Effectiveness": "SOAR Partial"}, {"Method": "Manual Static Analysis - Source Code", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": "Highly cost effective:", "xhtml:ul": {"xhtml:li": ["Focused Manual Spotcheck - Focused manual analysis of source", "Manual Source Code Review (not inspections)"]}}}, "Effectiveness": "High"}, {"Method": "Automated Static Analysis - Source Code", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": "Cost effective for partial coverage:", "xhtml:ul": {"xhtml:li": ["Source code Weakness Analyzer", "Context-configured Source Code Weakness Analyzer"]}}}, "Effectiveness": "SOAR Partial"}, {"Method": "Architecture or Design Review", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": "Highly cost effective:", "xhtml:ul": {"xhtml:li": "Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)"}}}, "Effectiveness": "High"}]}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": {"xhtml:p": ["Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds.", "In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.", "Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a \"random enough\" number."]}}, {"Phase": "Implementation", "Description": "Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices."}, {"@Mitigation_ID": "MIT-2", "Phase": ["Architecture and Design", "Requirements"], "Strategy": "Libraries or Frameworks", "Description": "Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (\"Approved Random Number Generators\")."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-45", "Intro_Text": "This code attempts to generate a unique random identifier for a user's session.", "Example_Code": {"@Nature": "Bad", "@Language": "PHP", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "srand($userID);return rand();"}, "#text": "function generateSessionID($userID){}"}}, "Body_Text": ["Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.", "This example also exhibits a Small Seed Space (CWE-339)."]}, {"@Demonstrative_Example_ID": "DX-46", "Intro_Text": "The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "Random ranGen = new Random();ranGen.setSeed((new Date()).getTime());return(baseUrl + ranGen.nextInt(400000000) + \".html\");"}, "#text": "String GenerateReceiptURL(String baseUrl) {}"}}, "Body_Text": "This code uses the Random.nextInt() function to generate \"unique\" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG."}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2021-3692", "Description": "PHP framework uses mt_rand() function (Marsenne Twister) when generating tokens", "Link": "https://www.cve.org/CVERecord?id=CVE-2021-3692"}, {"Reference": "CVE-2020-7010", "Description": "Cloud application on Kubernetes generates passwords using a weak random number generator based on deployment time.", "Link": "https://www.cve.org/CVERecord?id=CVE-2020-7010"}, {"Reference": "CVE-2009-3278", "Description": "Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks.", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-3278"}, {"Reference": "CVE-2009-3238", "Description": "Random number generator can repeatedly generate the same value.", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-3238"}, {"Reference": "CVE-2009-2367", "Description": "Web application generates predictable session IDs, allowing session hijacking.", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-2367"}, {"Reference": "CVE-2009-2158", "Description": "Password recovery utility generates a relatively small number of random passwords, simplifying brute force attacks.", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-2158"}, {"Reference": "CVE-2009-0255", "Description": "Cryptographic key created with a seed based on the system time.", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-0255"}, {"Reference": "CVE-2008-5162", "Description": "Kernel function does not have a good entropy source just after boot.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-5162"}, {"Reference": "CVE-2008-4905", "Description": "Blogging software uses a hard-coded salt when calculating a password hash.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-4905"}, {"Reference": "CVE-2008-4929", "Description": "Bulletin board application uses insufficiently random names for uploaded files, allowing other users to access private files.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-4929"}, {"Reference": "CVE-2008-3612", "Description": "Handheld device uses predictable TCP sequence numbers, allowing spoofing or hijacking of TCP connections.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-3612"}, {"Reference": "CVE-2008-2433", "Description": "Web management console generates session IDs based on the login time, making it easier to conduct session hijacking.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-2433"}, {"Reference": "CVE-2008-0166", "Description": "SSL library uses a weak random number generator that only generates 65,536 unique keys.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-0166"}, {"Reference": "CVE-2008-2108", "Description": "Chain: insufficient precision causes extra zero bits to be assigned, reducing entropy for an API function that generates random numbers.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-2108"}, {"Reference": "CVE-2008-2108", "Description": "Chain: insufficient precision (CWE-1339) in\n\t     random-number generator causes some zero bits to be reliably\n\t     generated, reducing the amount of entropy (CWE-331)", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-2108"}, {"Reference": "CVE-2008-2020", "Description": "CAPTCHA implementation does not produce enough different images, allowing bypass using a database of all possible checksums.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-2020"}, {"Reference": "CVE-2008-0087", "Description": "DNS client uses predictable DNS transaction IDs, allowing DNS spoofing.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-0087"}, {"Reference": "CVE-2008-0141", "Description": "Application generates passwords that are based on the time of day.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-0141"}]}, "Functional_Areas": {"Functional_Area": ["Cryptography", "Authentication", "Session Management"]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Randomness and Predictability"}, {"@Taxonomy_Name": "7 Pernicious Kingdoms", "Entry_Name": "Insecure Randomness"}, {"@Taxonomy_Name": "OWASP Top Ten 2004", "Entry_ID": "A2", "Entry_Name": "Broken Access Control", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "CON33-C", "Entry_Name": "Avoid race conditions when using library functions", "Mapping_Fit": "Imprecise"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "MSC30-C", "Entry_Name": "Do not use the rand() function for generating pseudorandom numbers", "Mapping_Fit": "CWE More Abstract"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "MSC32-C", "Entry_Name": "Properly seed pseudorandom number generators", "Mapping_Fit": "CWE More Abstract"}, {"@Taxonomy_Name": "WASC", "Entry_ID": "11", "Entry_Name": "Brute Force"}, {"@Taxonomy_Name": "WASC", "Entry_ID": "18", "Entry_Name": "Credential/Session Prediction"}, {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "MSC02-J", "Entry_Name": "Generate strong random numbers"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "112"}, {"@CAPEC_ID": "485"}, {"@CAPEC_ID": "59"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-267"}, {"@External_Reference_ID": "REF-207"}, {"@External_Reference_ID": "REF-7", "@Section": "Chapter 8, \"Using Poor Random Numbers\" Page 259"}, {"@External_Reference_ID": "REF-44", "@Section": "\"Sin 20: Weak Random Numbers.\" Page 299"}, {"@External_Reference_ID": "REF-1479"}]}, "Mapping_Notes": {"Usage": "Discouraged", "Rationale": "This CWE entry is a level-1 Class (i.e., a child of a Pillar). It might have lower-level children that would be more appropriate", "Comments": "Examine children of this entry to see if there is a better fit", "Reasons": {"Reason": {"@Type": "Abstraction"}}}, "Notes": {"Note": [{"@Type": "Relationship", "#text": "This can be primary to many other weaknesses such as cryptographic errors, authentication errors, symlink following, information leaks, and others."}, {"@Type": "Maintenance", "#text": "As of CWE 4.3, CWE-330 and its descendants are being\n\t\t\t  investigated by the CWE crypto team to identify gaps\n\t\t\t  related to randomness and unpredictability, as well as\n\t\t\t  the relationships between randomness and cryptographic\n\t\t\t  primitives.  This \"subtree analysis\" might\n\t\t\t  result in the addition or deprecation of existing\n\t\t\t  entries; the reorganization of relationships in some\n\t\t\t  views, e.g. the research view (CWE-1000); more consistent\n\t\t\t  use of terminology; and/or significant modifications to\n\t\t\t  related entries."}, {"@Type": "Maintenance", "#text": "As of CWE 4.5, terminology related to randomness, entropy, and\n\t   predictability can vary widely. Within the developer and other\n\t   communities, \"randomness\" is used heavily. However, within\n\t   cryptography, \"entropy\" is distinct, typically implied as a\n\t   measurement. There are no commonly-used definitions, even within\n\t   standards documents and cryptography papers. Future versions of\n\t   CWE will attempt to define these terms and, if necessary,\n\t   distinguish between them in ways that are appropriate for\n\t   different communities but do not reduce the usability of CWE for\n\t   mapping, understanding, or other scenarios."}]}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Background_Details, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-11-24", "Modification_Version": "1.1", "Modification_ReleaseDate": "2008-11-25", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-01-12", "Modification_Version": "1.2", "Modification_ReleaseDate": "2009-01-12", "Modification_Comment": "updated Description, Likelihood_of_Exploit, Other_Notes, Potential_Mitigations, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Demonstrative_Examples, Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-12-28", "Modification_Version": "1.7", "Modification_ReleaseDate": "2009-12-28", "Modification_Comment": "updated Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Potential_Mitigations, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated References, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-04-05", "Modification_Version": "1.8.1", "Modification_ReleaseDate": "2010-04-05", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-06-21", "Modification_Version": "1.9", "Modification_ReleaseDate": "2010-06-21", "Modification_Comment": "updated Detection_Factors, Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-27", "Modification_Version": "2.0", "Modification_ReleaseDate": "2011-06-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-09-13", "Modification_Version": "2.1", "Modification_ReleaseDate": "2011-09-13", "Modification_Comment": "updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-02-18", "Modification_Version": "2.6", "Modification_ReleaseDate": "2014-02-19", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-06-23", "Modification_Version": "2.7", "Modification_ReleaseDate": "2014-06-23", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Detection_Factors"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2015-12-07", "Modification_Version": "2.9", "Modification_ReleaseDate": "2015-12-07", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Functional_Areas, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2018-03-27", "Modification_Version": "3.1", "Modification_ReleaseDate": "2018-03-27", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Applicable_Platforms, Description, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Maintenance_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-07-20", "Modification_Version": "4.5", "Modification_ReleaseDate": "2021-07-20", "Modification_Comment": "updated Demonstrative_Examples, Maintenance_Notes, Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Common_Consequences, Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-02-29", "Modification_Version": "4.14", "Modification_ReleaseDate": "2024-02-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated Description, Detection_Factors, Diagram, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2026-04-30", "Modification_Version": "4.20", "Modification_ReleaseDate": "2026-04-30", "Modification_Comment": "updated Potential_Mitigations"}], "Previous_Entry_Name": {"@Date": "2008-04-11", "#text": "Randomness and Predictability"}}}
