Common Weakness Enumeration

CWE-331

Allowed

Insufficient Entropy

Abstraction: Base · Status: Draft

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

207 vulnerabilities reference this CWE, most recent first.

GHSA-W3R9-MWPJ-G2C7

Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2026-06-05 00:31
VLAI
Details

A Predictable Value Range from Previous Values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected products generate insufficiently random TCP initial sequence numbers that may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331",
      "CWE-343"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-30T03:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A Predictable Value Range from Previous Values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected products generate insufficiently random TCP initial sequence numbers that may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections.",
  "id": "GHSA-w3r9-mwpj-g2c7",
  "modified": "2026-06-05T00:31:34Z",
  "published": "2022-05-13T01:04:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6030"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2017/icsa-17-089-02.json"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97254"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W3WC-44P4-M4J7

Vulnerability from github – Published: 2026-04-01 20:29 – Updated: 2026-04-01 20:29
VLAI
Summary
Auth0 PHP SDK has Insufficient Entropy in Cookie Encryption
Details

Impact

In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.

Am I Affected?

Consumers are affected if their application meets the following preconditions: - Their application is using the Auth0-PHP SDK, versions between 8.0.0 and 8.18.0 - Their application is using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: - Auth0/symfony, - Auth0/laravel0-auth0, or - Auth0/wordpress

Resolution

Upgrade Auth0/Auth0-PHP to version 8.19.0 or greater.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.18.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "auth0/auth0-php"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.19.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T20:29:26Z",
    "nvd_published_at": "2026-04-01T18:16:30Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nIn applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.\n\n### Am I Affected?\nConsumers are affected if their application meets the following preconditions:\n- Their application is using the Auth0-PHP SDK, versions between 8.0.0 and 8.18.0\n- Their application is using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK:\n    - Auth0/symfony,\n    - Auth0/laravel0-auth0, or\n    - Auth0/wordpress\n\n### Resolution\nUpgrade Auth0/Auth0-PHP to version 8.19.0 or greater.",
  "id": "GHSA-w3wc-44p4-m4j7",
  "modified": "2026-04-01T20:29:43Z",
  "published": "2026-04-01T20:29:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34236"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/auth0/auth0-PHP"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/auth0-PHP/releases/tag/8.19.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Auth0 PHP SDK has Insufficient Entropy in Cookie Encryption"
}

GHSA-W3XP-RQX4-CH6M

Vulnerability from github – Published: 2026-01-06 18:31 – Updated: 2026-01-06 18:31
VLAI
Details

Arteco Web Client DVR/NVR contains a session hijacking vulnerability with insufficient session ID complexity that allows remote attackers to bypass authentication. Attackers can brute force session IDs within a specific numeric range to obtain valid sessions and access live camera streams without authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-06T16:15:50Z",
    "severity": "HIGH"
  },
  "details": "Arteco Web Client DVR/NVR contains a session hijacking vulnerability with insufficient session ID complexity that allows remote attackers to bypass authentication. Attackers can brute force session IDs within a specific numeric range to obtain valid sessions and access live camera streams without authorization.",
  "id": "GHSA-w3xp-rqx4-ch6m",
  "modified": "2026-01-06T18:31:35Z",
  "published": "2026-01-06T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36925"
    },
    {
      "type": "WEB",
      "url": "https://cxsecurity.com/issue/WLB-2020120170"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/193750"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/194139"
    },
    {
      "type": "WEB",
      "url": "https://packetstorm.news/files/id/160718"
    },
    {
      "type": "WEB",
      "url": "https://www.arteco-global.com"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/49348"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/arteco-web-client-dvrnvr-session-id-brute-force-authentication-bypass"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5613.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W6PF-CX8P-259Q

Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2025-04-20 03:36
VLAI
Details

Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-2564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-23T15:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation.",
  "id": "GHSA-w6pf-cx8p-259q",
  "modified": "2025-04-20T03:36:30Z",
  "published": "2022-05-13T01:26:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2564"
    },
    {
      "type": "WEB",
      "url": "https://invisionpower.com/release-notes/419-r37"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40iancarroll/bypassing-authentication-in-invision-power-board-with-cve-2016-2564-9a24ea3655f9"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@iancarroll/bypassing-authentication-in-invision-power-board-with-cve-2016-2564-9a24ea3655f9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W8CC-3H7Q-JHC3

Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2025-12-05 19:37
VLAI
Summary
Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider
Details

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0-rc1"
            },
            {
              "fixed": "4.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0-rc1"
            },
            {
              "fixed": "4.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-18883"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-05T19:37:33Z",
    "nvd_published_at": "2020-06-19T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.",
  "id": "GHSA-w8cc-3h7q-jhc3",
  "modified": "2025-12-05T19:37:33Z",
  "published": "2022-05-24T17:21:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18883"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider"
}

GHSA-WM67-CJ4W-P69M

Vulnerability from github – Published: 2026-05-21 21:30 – Updated: 2026-05-22 00:31
VLAI
Details

Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand.

Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-21T19:16:53Z",
    "severity": "HIGH"
  },
  "details": "Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand.\n\nSecrets were generated using Perl\u0027s built-in rand function, which is predictable and unsuitable for security usage.",
  "id": "GHSA-wm67-cj4w-p69m",
  "modified": "2026-05-22T00:31:15Z",
  "published": "2026-05-21T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46473"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tchatzi/Authen-TOTP/commit/d04f30cc6538d77fc6b6d550da450cf3017b8561.patch"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/TCHATZI/Authen-TOTP-0.1.1/changes"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/21/15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQCC-QF63-C2X4

Vulnerability from github – Published: 2024-01-10 18:30 – Updated: 2025-11-04 22:11
VLAI
Summary
WWBN AVideo Insufficient Entropy vulnerbaility
Details

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted series of HTTP requests can lead to privilege escalation. An attacker can gather system information via HTTP requests and bruteforce the salt offline, leading to forging a legitimate password recovery code for the admin user.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-12T23:23:08Z",
    "nvd_published_at": "2024-01-10T16:15:48Z",
    "severity": "CRITICAL"
  },
  "details": "An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted series of HTTP requests can lead to privilege escalation. An attacker can gather system information via HTTP requests and bruteforce the salt offline, leading to forging a legitimate password recovery code for the admin user.",
  "id": "GHSA-wqcc-qf63-c2x4",
  "modified": "2025-11-04T22:11:50Z",
  "published": "2024-01-10T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49599"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/15fed957fb64b4055158acfc449bd7974346edb5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1900"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WWBN AVideo Insufficient Entropy vulnerbaility"
}

GHSA-WQX8-R5JG-36W6

Vulnerability from github – Published: 2026-02-25 15:31 – Updated: 2026-02-26 15:30
VLAI
Details

In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-25T15:20:54Z",
    "severity": "MODERATE"
  },
  "details": "In Progress\u00ae Telerik\u00ae UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering.",
  "id": "GHSA-wqx8-r5jg-36w6",
  "modified": "2026-02-26T15:30:29Z",
  "published": "2026-02-25T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2878"
    },
    {
      "type": "WEB",
      "url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-insufficient-entropy-cve-2026-2878"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WV95-5RRJ-GJM9

Vulnerability from github – Published: 2021-11-21 00:00 – Updated: 2024-02-27 18:59
VLAI
Details

Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially hijack a session and access the webserver by forging the session ID.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-20T02:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially hijack a session and access the webserver by forging the session ID.",
  "id": "GHSA-wv95-5rrj-gjm9",
  "modified": "2024-02-27T18:59:12Z",
  "published": "2021-11-21T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36320"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000193230/dsa-2021-191-dell-networking-x-series-security-update-for-multiple-security-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVXG-XMPG-QCWX

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

The DNS client in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Insufficient entropy in the DNS transaction id. The impact is: DNS cache poisoning (remote). The component is: dns_query_type(). The attack vector is: a specific DNS response packet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25926"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-18T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "The DNS client in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Insufficient entropy in the DNS transaction id. The impact is: DNS cache poisoning (remote). The component is: dns_query_type(). The attack vector is: a specific DNS response packet.",
  "id": "GHSA-wvxg-xmpg-qcwx",
  "modified": "2022-05-24T19:11:29Z",
  "published": "2022-05-24T19:11:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25926"
    },
    {
      "type": "WEB",
      "url": "https://www.forescout.com/blog/new-critical-operational-technology-vulnerabilities-found-on-nichestack"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/608209"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation

Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.