CWE-331
AllowedInsufficient Entropy
Abstraction: Base · Status: Draft
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
207 vulnerabilities reference this CWE, most recent first.
GHSA-437P-76R5-9789
Vulnerability from github – Published: 2023-11-30 18:31 – Updated: 2023-12-06 03:30An Insufficient Entropy vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow an unauthenticated remote attacker to brute-force session tokens and bypass authentication.
See product Instruction Manual Appendix A dated 20230830 for more details.
{
"affected": [],
"aliases": [
"CVE-2023-31176"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-30T17:15:08Z",
"severity": "HIGH"
},
"details": "An Insufficient Entropy vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow an unauthenticated remote attacker to brute-force session tokens and bypass authentication.\u00a0\n\n\nSee product Instruction Manual Appendix A dated 20230830 for more details.\n\n\n\n",
"id": "GHSA-437p-76r5-9789",
"modified": "2023-12-06T03:30:26Z",
"published": "2023-11-30T18:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31176"
},
{
"type": "WEB",
"url": "https://selinc.com/support/security-notifications/external-reports"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/blog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-468W-RC5F-76WX
Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-17 00:00Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice
{
"affected": [],
"aliases": [
"CVE-2022-37401"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-326",
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-15T11:21:00Z",
"severity": "HIGH"
},
"details": "Apache OpenOffice supports the storage of passwords for web connections in the user\u0027s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice",
"id": "GHSA-468w-rc5f-76wx",
"modified": "2022-08-17T00:00:22Z",
"published": "2022-08-16T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37401"
},
{
"type": "WEB",
"url": "https://www.openoffice.org/security/cves/CVE-2022-37401.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/08/13/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-46F3-RC2X-P4JV
Vulnerability from github – Published: 2025-03-26 12:30 – Updated: 2025-03-26 21:31DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes.
This vulnerability is associated with program files lib/DBIx/Class/EncodedColumn/Digest.pm.
This issue affects DBIx::Class::EncodedColumn until 0.00032.
{
"affected": [],
"aliases": [
"CVE-2025-27551"
],
"database_specific": {
"cwe_ids": [
"CWE-331",
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-26T11:15:38Z",
"severity": "MODERATE"
},
"details": "DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes.\n\nThis vulnerability is associated with program files lib/DBIx/Class/EncodedColumn/Digest.pm.\n\nThis issue affects DBIx::Class::EncodedColumn until 0.00032.",
"id": "GHSA-46f3-rc2x-p4jv",
"modified": "2025-03-26T21:31:06Z",
"published": "2025-03-26T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27551"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/WREIS/DBIx-Class-EncodedColumn-0.00032/changes"
},
{
"type": "WEB",
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4CRF-28C7-V4GR
Vulnerability from github – Published: 2024-08-21 06:32 – Updated: 2025-01-09 09:31An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openshift/console"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "6.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-6508"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-21T20:09:39Z",
"nvd_published_at": "2024-08-21T06:15:08Z",
"severity": "MODERATE"
},
"details": "An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim\u2019s current application account using a third-party account without any restrictions.",
"id": "GHSA-4crf-28c7-v4gr",
"modified": "2025-01-09T09:31:40Z",
"published": "2024-08-21T06:32:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6508"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:10813"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:7922"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8415"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8991"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:9620"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:0014"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-6508"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295777"
},
{
"type": "PACKAGE",
"url": "https://github.com/openshift/console"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Openshift Console insufficient entropy vulnerability"
}
GHSA-4QQX-6M6R-7Q77
Vulnerability from github – Published: 2025-07-11 12:30 – Updated: 2025-11-03 21:34CWE-331: Insufficient Entropy vulnerability exists that could cause root password discovery when the password generation algorithm is reverse engineered with access to installation or upgrade artifacts.
{
"affected": [],
"aliases": [
"CVE-2025-50122"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-11T10:15:23Z",
"severity": "HIGH"
},
"details": "CWE-331: Insufficient Entropy vulnerability exists that could cause root password discovery when the\npassword generation algorithm is reverse engineered with access to installation or upgrade artifacts.",
"id": "GHSA-4qqx-6m6r-7q77",
"modified": "2025-11-03T21:34:05Z",
"published": "2025-07-11T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50122"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-189-01.pdf"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jul/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4RWQ-456R-X2VQ
Vulnerability from github – Published: 2024-02-24 00:30 – Updated: 2024-08-16 21:32Hitron CODA-4582 and CODA-4589 devices have default PSKs that are generated from 5-digit hex values concatenated with a "Hitron" substring, resulting in insufficient entropy (only about one million possibilities).
{
"affected": [],
"aliases": [
"CVE-2024-25730"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-23T22:15:55Z",
"severity": "CRITICAL"
},
"details": "Hitron CODA-4582 and CODA-4589 devices have default PSKs that are generated from 5-digit hex values concatenated with a \"Hitron\" substring, resulting in insufficient entropy (only about one million possibilities).",
"id": "GHSA-4rwq-456r-x2vq",
"modified": "2024-08-16T21:32:35Z",
"published": "2024-02-24T00:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25730"
},
{
"type": "WEB",
"url": "https://github.com/actuator/cve/blob/main/Hitron/CVE-2024-25730"
},
{
"type": "WEB",
"url": "https://i.ebayimg.com/images/g/I-8AAOSwGE9lsGwI/s-l1600.webp"
},
{
"type": "WEB",
"url": "https://i.ebayimg.com/images/g/MwMAAOSwjTFk3kpd/s-l1600.webp"
},
{
"type": "WEB",
"url": "https://i.ebayimg.com/images/g/VDcAAOSwlodlSuz4/s-l1600.webp"
},
{
"type": "WEB",
"url": "https://i.ebayimg.com/images/g/XaAAAOSwvMNkuESk/s-l1600.webp"
},
{
"type": "WEB",
"url": "https://i.ebayimg.com/images/g/hzUAAOSwUwVllGMZ/s-l1600.webp"
},
{
"type": "WEB",
"url": "https://i.ebayimg.com/images/g/qK8AAOSwbr9lq3PJ/s-l1600.webp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-53PG-HP8W-G7J6
Vulnerability from github – Published: 2023-08-01 15:30 – Updated: 2024-04-04 06:28Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions.
{
"affected": [],
"aliases": [
"CVE-2023-38357"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-01T15:15:09Z",
"severity": "MODERATE"
},
"details": "Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions.",
"id": "GHSA-53pg-hp8w-g7j6",
"modified": "2024-04-04T06:28:21Z",
"published": "2023-08-01T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38357"
},
{
"type": "WEB",
"url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-001/-session-token-enumeration-in-rws-worldserver"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/173609/RWS-WorldServer-11.7.3-Session-Token-Enumeration.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Jul/30"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5844-Q3FC-56RH
Vulnerability from github – Published: 2023-12-06 06:30 – Updated: 2025-07-22 15:14Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file.
Note:
In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "pubnub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.pubnub:pubnub-kotlin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.pubnub:pubnub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.6.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/pubnub/go/v7"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/pubnub/go"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20231016150651-428517fef5b9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/pubnub/go/v6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.1.1-0.20231016150651-428517fef5b9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/pubnub/go/v5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.4-0.20231016150651-428517fef5b9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Pubnub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.19.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "SwiftURL",
"name": "github.com/pubnub/swift"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "pubnub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "pubnub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "pubnub/pubnub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Pub",
"name": "pubnub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pubnub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26154"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-06T16:55:26Z",
"nvd_published_at": "2023-12-06T05:15:10Z",
"severity": "MODERATE"
},
"details": "Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file.\n\n**Note:**\n\nIn order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption.",
"id": "GHSA-5844-q3fc-56rh",
"modified": "2025-07-22T15:14:55Z",
"published": "2023-12-06T06:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26154"
},
{
"type": "WEB",
"url": "https://github.com/pubnub/go/commit/428517fef5b901db7275d9f5a75eda89a4c28e08"
},
{
"type": "WEB",
"url": "https://github.com/pubnub/javascript/commit/fb6cd0417cbb4ba87ea2d5d86a9c94774447e119"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-PUBNUBCCORE-6098379"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-SWIFT-PUBNUBSWIFT-6098381"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-RUST-PUBNUB-6098378"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-RUBY-PUBNUB-6098377"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-PYTHON-PUBNUB-6098375"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-PUB-PUBNUB-6098385"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-PHP-PUBNUBPUBNUB-6098376"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-PUBNUB-5840690"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-COMPUBNUB-6098380"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-COMPUBNUB-6098371"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPUBNUBGOV7-6098374"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPUBNUBGO-6098373"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-DOTNET-PUBNUB-6098372"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-COCOAPODS-PUBNUB-6098384"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pubnub/CVE-2023-26154.yml"
},
{
"type": "WEB",
"url": "https://github.com/pubnub/javascript/blob/master/src/crypto/modules/web.js#L70"
},
{
"type": "PACKAGE",
"url": "https://github.com/pubnub/javascript"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-5844-q3fc-56rh"
},
{
"type": "WEB",
"url": "https://gist.github.com/vargad/20237094fce7a0a28f0723d7ce395bb0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "pubnub Insufficient Entropy vulnerability"
}
GHSA-5C3C-76CF-7HHM
Vulnerability from github – Published: 2021-12-21 00:00 – Updated: 2022-01-04 00:01A user of a machine protected by SafeNet Agent for Windows Logon may leverage weak entropy to access the encrypted credentials of any or all the users on that machine.
{
"affected": [],
"aliases": [
"CVE-2021-42138"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-20T21:15:00Z",
"severity": "MODERATE"
},
"details": "A user of a machine protected by SafeNet Agent for Windows Logon may leverage weak entropy to access the encrypted credentials of any or all the users on that machine.",
"id": "GHSA-5c3c-76cf-7hhm",
"modified": "2022-01-04T00:01:25Z",
"published": "2021-12-21T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42138"
},
{
"type": "WEB",
"url": "https://cpl.thalesgroup.com/support/security-updates"
},
{
"type": "WEB",
"url": "https://supportportal.gemalto.com/csm?sys_kb_id=a52bd13adbff7010f0e322080596194a\u0026id=kb_article_view\u0026sysparm_rank=1\u0026sysparm_tsqueryId=b3bdd932db33b010f0e3220805961955"
},
{
"type": "WEB",
"url": "https://supportportal.gemalto.com/csm?sys_kb_id=e8397662dbb7fc10520c4705059619eb\u0026id=kb_article_view\u0026sysparm_rank=2\u0026sysparm_tsqueryId=b3bdd932db33b010f0e3220805961955"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5Q94-JXWQ-FQFX
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2024-04-04 02:54The Bluetooth Low Energy implementation in Cypress PSoC Creator BLE 4.2 component versions before 3.64 generates a random number (Pairing Random) with significantly less entropy than the specified 128 bits during BLE pairing. This is the case for both authenticated and unauthenticated pairing with both LE Secure Connections as well as LE Legacy Pairing. A predictable or brute-forceable random number allows an attacker (in radio range) to perform a MITM attack during BLE pairing.
{
"affected": [],
"aliases": [
"CVE-2020-11957"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-09T19:15:00Z",
"severity": "HIGH"
},
"details": "The Bluetooth Low Energy implementation in Cypress PSoC Creator BLE 4.2 component versions before 3.64 generates a random number (Pairing Random) with significantly less entropy than the specified 128 bits during BLE pairing. This is the case for both authenticated and unauthenticated pairing with both LE Secure Connections as well as LE Legacy Pairing. A predictable or brute-forceable random number allows an attacker (in radio range) to perform a MITM attack during BLE pairing.",
"id": "GHSA-5q94-jxwq-fqfx",
"modified": "2024-04-04T02:54:20Z",
"published": "2022-05-24T17:19:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11957"
},
{
"type": "WEB",
"url": "https://www.cypress.com/file/504466/download"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.