Common Weakness Enumeration

CWE-331

Allowed

Insufficient Entropy

Abstraction: Base · Status: Draft

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

207 vulnerabilities reference this CWE, most recent first.

GHSA-437P-76R5-9789

Vulnerability from github – Published: 2023-11-30 18:31 – Updated: 2023-12-06 03:30
VLAI
Details

An Insufficient Entropy vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow an unauthenticated remote attacker to brute-force session tokens and bypass authentication. 

See product Instruction Manual Appendix A dated 20230830 for more details.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31176"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-30T17:15:08Z",
    "severity": "HIGH"
  },
  "details": "An Insufficient Entropy vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow an unauthenticated remote attacker to brute-force session tokens and bypass authentication.\u00a0\n\n\nSee product Instruction Manual Appendix A dated 20230830 for more details.\n\n\n\n",
  "id": "GHSA-437p-76r5-9789",
  "modified": "2023-12-06T03:30:26Z",
  "published": "2023-11-30T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31176"
    },
    {
      "type": "WEB",
      "url": "https://selinc.com/support/security-notifications/external-reports"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/blog"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-468W-RC5F-76WX

Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-17 00:00
VLAI
Details

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37401"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-326",
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-15T11:21:00Z",
    "severity": "HIGH"
  },
  "details": "Apache OpenOffice supports the storage of passwords for web connections in the user\u0027s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice",
  "id": "GHSA-468w-rc5f-76wx",
  "modified": "2022-08-17T00:00:22Z",
  "published": "2022-08-16T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37401"
    },
    {
      "type": "WEB",
      "url": "https://www.openoffice.org/security/cves/CVE-2022-37401.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/08/13/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-46F3-RC2X-P4JV

Vulnerability from github – Published: 2025-03-26 12:30 – Updated: 2025-03-26 21:31
VLAI
Details

DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes.

This vulnerability is associated with program files lib/DBIx/Class/EncodedColumn/Digest.pm.

This issue affects DBIx::Class::EncodedColumn until 0.00032.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331",
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-26T11:15:38Z",
    "severity": "MODERATE"
  },
  "details": "DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes.\n\nThis vulnerability is associated with program files lib/DBIx/Class/EncodedColumn/Digest.pm.\n\nThis issue affects DBIx::Class::EncodedColumn until 0.00032.",
  "id": "GHSA-46f3-rc2x-p4jv",
  "modified": "2025-03-26T21:31:06Z",
  "published": "2025-03-26T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27551"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/WREIS/DBIx-Class-EncodedColumn-0.00032/changes"
    },
    {
      "type": "WEB",
      "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4CRF-28C7-V4GR

Vulnerability from github – Published: 2024-08-21 06:32 – Updated: 2025-01-09 09:31
VLAI
Summary
Openshift Console insufficient entropy vulnerability
Details

An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openshift/console"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6508"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-21T20:09:39Z",
    "nvd_published_at": "2024-08-21T06:15:08Z",
    "severity": "MODERATE"
  },
  "details": "An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim\u2019s current application account using a third-party account without any restrictions.",
  "id": "GHSA-4crf-28c7-v4gr",
  "modified": "2025-01-09T09:31:40Z",
  "published": "2024-08-21T06:32:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6508"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:10813"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:7922"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:8415"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:8991"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:9620"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:0014"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-6508"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295777"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openshift/console"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Openshift Console insufficient entropy vulnerability"
}

GHSA-4QQX-6M6R-7Q77

Vulnerability from github – Published: 2025-07-11 12:30 – Updated: 2025-11-03 21:34
VLAI
Details

CWE-331: Insufficient Entropy vulnerability exists that could cause root password discovery when the password generation algorithm is reverse engineered with access to installation or upgrade artifacts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-50122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-11T10:15:23Z",
    "severity": "HIGH"
  },
  "details": "CWE-331: Insufficient Entropy vulnerability exists that could cause root password discovery when the\npassword generation algorithm is reverse engineered with access to installation or upgrade artifacts.",
  "id": "GHSA-4qqx-6m6r-7q77",
  "modified": "2025-11-03T21:34:05Z",
  "published": "2025-07-11T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50122"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-189-01.pdf"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jul/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4RWQ-456R-X2VQ

Vulnerability from github – Published: 2024-02-24 00:30 – Updated: 2024-08-16 21:32
VLAI
Details

Hitron CODA-4582 and CODA-4589 devices have default PSKs that are generated from 5-digit hex values concatenated with a "Hitron" substring, resulting in insufficient entropy (only about one million possibilities).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25730"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-23T22:15:55Z",
    "severity": "CRITICAL"
  },
  "details": "Hitron CODA-4582 and CODA-4589 devices have default PSKs that are generated from 5-digit hex values concatenated with a \"Hitron\" substring, resulting in insufficient entropy (only about one million possibilities).",
  "id": "GHSA-4rwq-456r-x2vq",
  "modified": "2024-08-16T21:32:35Z",
  "published": "2024-02-24T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25730"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actuator/cve/blob/main/Hitron/CVE-2024-25730"
    },
    {
      "type": "WEB",
      "url": "https://i.ebayimg.com/images/g/I-8AAOSwGE9lsGwI/s-l1600.webp"
    },
    {
      "type": "WEB",
      "url": "https://i.ebayimg.com/images/g/MwMAAOSwjTFk3kpd/s-l1600.webp"
    },
    {
      "type": "WEB",
      "url": "https://i.ebayimg.com/images/g/VDcAAOSwlodlSuz4/s-l1600.webp"
    },
    {
      "type": "WEB",
      "url": "https://i.ebayimg.com/images/g/XaAAAOSwvMNkuESk/s-l1600.webp"
    },
    {
      "type": "WEB",
      "url": "https://i.ebayimg.com/images/g/hzUAAOSwUwVllGMZ/s-l1600.webp"
    },
    {
      "type": "WEB",
      "url": "https://i.ebayimg.com/images/g/qK8AAOSwbr9lq3PJ/s-l1600.webp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-53PG-HP8W-G7J6

Vulnerability from github – Published: 2023-08-01 15:30 – Updated: 2024-04-04 06:28
VLAI
Details

Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-01T15:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions.",
  "id": "GHSA-53pg-hp8w-g7j6",
  "modified": "2024-04-04T06:28:21Z",
  "published": "2023-08-01T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38357"
    },
    {
      "type": "WEB",
      "url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-001/-session-token-enumeration-in-rws-worldserver"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/173609/RWS-WorldServer-11.7.3-Session-Token-Enumeration.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Jul/30"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5844-Q3FC-56RH

Vulnerability from github – Published: 2023-12-06 06:30 – Updated: 2025-07-22 15:14
VLAI
Summary
pubnub Insufficient Entropy vulnerability
Details

Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file.

Note:

In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pubnub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.pubnub:pubnub-kotlin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.pubnub:pubnub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.6.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pubnub/go/v7"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pubnub/go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20231016150651-428517fef5b9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pubnub/go/v6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.1-0.20231016150651-428517fef5b9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pubnub/go/v5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.4-0.20231016150651-428517fef5b9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Pubnub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.19.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/pubnub/swift"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "pubnub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "pubnub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pubnub/pubnub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Pub",
        "name": "pubnub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pubnub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-06T16:55:26Z",
    "nvd_published_at": "2023-12-06T05:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file.\n\n**Note:**\n\nIn order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption.",
  "id": "GHSA-5844-q3fc-56rh",
  "modified": "2025-07-22T15:14:55Z",
  "published": "2023-12-06T06:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26154"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pubnub/go/commit/428517fef5b901db7275d9f5a75eda89a4c28e08"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pubnub/javascript/commit/fb6cd0417cbb4ba87ea2d5d86a9c94774447e119"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-PUBNUBCCORE-6098379"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-SWIFT-PUBNUBSWIFT-6098381"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-RUST-PUBNUB-6098378"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-RUBY-PUBNUB-6098377"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-PYTHON-PUBNUB-6098375"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-PUB-PUBNUB-6098385"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-PHP-PUBNUBPUBNUB-6098376"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-PUBNUB-5840690"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMPUBNUB-6098380"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMPUBNUB-6098371"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPUBNUBGOV7-6098374"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPUBNUBGO-6098373"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-DOTNET-PUBNUB-6098372"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-COCOAPODS-PUBNUB-6098384"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pubnub/CVE-2023-26154.yml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pubnub/javascript/blob/master/src/crypto/modules/web.js#L70"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pubnub/javascript"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-5844-q3fc-56rh"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/vargad/20237094fce7a0a28f0723d7ce395bb0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pubnub Insufficient Entropy vulnerability"
}

GHSA-5C3C-76CF-7HHM

Vulnerability from github – Published: 2021-12-21 00:00 – Updated: 2022-01-04 00:01
VLAI
Details

A user of a machine protected by SafeNet Agent for Windows Logon may leverage weak entropy to access the encrypted credentials of any or all the users on that machine.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-20T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A user of a machine protected by SafeNet Agent for Windows Logon may leverage weak entropy to access the encrypted credentials of any or all the users on that machine.",
  "id": "GHSA-5c3c-76cf-7hhm",
  "modified": "2022-01-04T00:01:25Z",
  "published": "2021-12-21T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42138"
    },
    {
      "type": "WEB",
      "url": "https://cpl.thalesgroup.com/support/security-updates"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.gemalto.com/csm?sys_kb_id=a52bd13adbff7010f0e322080596194a\u0026id=kb_article_view\u0026sysparm_rank=1\u0026sysparm_tsqueryId=b3bdd932db33b010f0e3220805961955"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.gemalto.com/csm?sys_kb_id=e8397662dbb7fc10520c4705059619eb\u0026id=kb_article_view\u0026sysparm_rank=2\u0026sysparm_tsqueryId=b3bdd932db33b010f0e3220805961955"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5Q94-JXWQ-FQFX

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2024-04-04 02:54
VLAI
Details

The Bluetooth Low Energy implementation in Cypress PSoC Creator BLE 4.2 component versions before 3.64 generates a random number (Pairing Random) with significantly less entropy than the specified 128 bits during BLE pairing. This is the case for both authenticated and unauthenticated pairing with both LE Secure Connections as well as LE Legacy Pairing. A predictable or brute-forceable random number allows an attacker (in radio range) to perform a MITM attack during BLE pairing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-09T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Bluetooth Low Energy implementation in Cypress PSoC Creator BLE 4.2 component versions before 3.64 generates a random number (Pairing Random) with significantly less entropy than the specified 128 bits during BLE pairing. This is the case for both authenticated and unauthenticated pairing with both LE Secure Connections as well as LE Legacy Pairing. A predictable or brute-forceable random number allows an attacker (in radio range) to perform a MITM attack during BLE pairing.",
  "id": "GHSA-5q94-jxwq-fqfx",
  "modified": "2024-04-04T02:54:20Z",
  "published": "2022-05-24T17:19:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11957"
    },
    {
      "type": "WEB",
      "url": "https://www.cypress.com/file/504466/download"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.