CWE-335
AllowedIncorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Abstraction: Base · Status: Draft
The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.
53 vulnerabilities reference this CWE, most recent first.
GHSA-MX87-47CG-9WPG
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG involved in the generation of session IDs is not seeded at program startup. This results in deterministic session IDs being allocated for active user sessions. An attacker with foreknowledge of the operating system and standard library in use by the host running the service and the username of the user whose session they're targeting can abuse the deterministic random number generation in order to hijack the user's session, thus escalating their access.
{
"affected": [],
"aliases": [
"CVE-2018-12520"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-05T20:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG involved in the generation of session IDs is not seeded at program startup. This results in deterministic session IDs being allocated for active user sessions. An attacker with foreknowledge of the operating system and standard library in use by the host running the service and the username of the user whose session they\u0027re targeting can abuse the deterministic random number generation in order to hijack the user\u0027s session, thus escalating their access.",
"id": "GHSA-mx87-47cg-9wpg",
"modified": "2022-05-13T01:49:35Z",
"published": "2022-05-13T01:49:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12520"
},
{
"type": "WEB",
"url": "https://github.com/ntop/ntopng/commit/30610bda60cbfc058f90a1c0a17d0e8f4516221a"
},
{
"type": "WEB",
"url": "https://gist.github.com/Psychotropos/3e8c047cada9b1fb716e6a014a428b7f"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44973"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2018/Jul/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P4GH-942G-MC76
Vulnerability from github – Published: 2024-12-09 03:30 – Updated: 2024-12-09 03:30ColPack 1.0.10 through 9a7293a has a predictable temporary file (located under /tmp with a name derived from an unseeded RNG). The impact can be overwriting files or making ColPack graphing unavailable to other users.
{
"affected": [],
"aliases": [
"CVE-2024-55566"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-09T02:15:19Z",
"severity": "MODERATE"
},
"details": "ColPack 1.0.10 through 9a7293a has a predictable temporary file (located under /tmp with a name derived from an unseeded RNG). The impact can be overwriting files or making ColPack graphing unavailable to other users.",
"id": "GHSA-p4gh-942g-mc76",
"modified": "2024-12-09T03:30:59Z",
"published": "2024-12-09T03:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55566"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1225617"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/335.html"
},
{
"type": "WEB",
"url": "https://github.com/CSCsw/ColPack/blob/9a7293a8dfd66a60434496b8df5ebb4274d70339/src/Utilities/extra.cpp#L184-L190"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFF9-53M5-QR56
Vulnerability from github – Published: 2025-01-27 15:30 – Updated: 2025-01-27 21:34Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon.
This issue affects Apache Cocoon: all versions.
When a continuation is created, it gets a random identifier. Because the random number generator used to generate these identifiers was seeded with the startup time, it may not have been sufficiently unpredictable, and an attacker could use this to guess continuation ids and look up continuations they should not have had access to.
As a mitigation, you may enable the "session-bound-continuations" option to make sure continuations are not shared across sessions.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cocoon:cocoon-forms-impl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cocoon:cocoon-sitemap-impl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24783"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-27T17:22:59Z",
"nvd_published_at": "2025-01-27T15:15:17Z",
"severity": "LOW"
},
"details": "Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon.\n\nThis issue affects Apache Cocoon: all versions.\n\nWhen a continuation is created, it gets a random identifier. Because the random number generator used to generate these identifiers was seeded with the startup time, it may not have been sufficiently unpredictable, and an attacker could use this to guess continuation ids and look up continuations they should not have had access to.\n\nAs a mitigation, you may enable the \"session-bound-continuations\" option to make sure continuations are not shared across sessions.\n\n\nAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-pff9-53m5-qr56",
"modified": "2025-01-27T21:34:13Z",
"published": "2025-01-27T15:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24783"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/cocoon"
},
{
"type": "WEB",
"url": "https://github.com/apache/cocoon/blob/32a4e41183ba74351d85060011151b2d58acfc52/blocks/cocoon-forms/cocoon-forms-impl/src/main/java/org/apache/cocoon/forms/formmodel/CaptchaField.java#L70"
},
{
"type": "WEB",
"url": "https://github.com/apache/cocoon/blob/32a4e41183ba74351d85060011151b2d58acfc52/core/cocoon-sitemap/cocoon-sitemap-impl/src/main/java/org/apache/cocoon/components/flow/ContinuationsManagerImpl.java#L112"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/pk86jp5cvn41432op8wv1k8p14mp27nz"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/01/27/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Apache Cocoon vulnerable to Incorrect Usage of Seeds in Pseudo-Random Number Generator"
}
GHSA-PGC5-R6CV-2825
Vulnerability from github – Published: 2026-03-19 21:30 – Updated: 2026-04-29 18:31Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion.
This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6.
{
"affected": [],
"aliases": [
"CVE-2026-3503"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-19T19:16:20Z",
"severity": "MODERATE"
},
"details": "Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion.\n\n\n\n\nThis issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6.",
"id": "GHSA-pgc5-r6cv-2825",
"modified": "2026-04-29T18:31:30Z",
"published": "2026-03-19T21:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3503"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/pull/9734"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-R57W-H3MC-4JRV
Vulnerability from github – Published: 2026-06-26 09:30 – Updated: 2026-07-01 18:31Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes.
When an object is initialised before forking, or when the functional interface is used, then the internal state for the PRNG is shared across processes and identical random streams will be produced.
Secrets generated in multiprocess applications are predictable across processes.
{
"affected": [],
"aliases": [
"CVE-2026-11625"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T09:16:33Z",
"severity": "HIGH"
},
"details": "Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes.\n\nWhen an object is initialised before forking, or when the functional interface is used, then the internal state for the PRNG is shared across processes and identical random streams will be produced.\n\nSecrets generated in multiprocess applications are predictable across processes.",
"id": "GHSA-r57w-h3mc-4jrv",
"modified": "2026-07-01T18:31:23Z",
"published": "2026-06-26T09:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11625"
},
{
"type": "WEB",
"url": "https://github.com/daoswald/Bytes-Random-Secure/issues/3"
},
{
"type": "WEB",
"url": "https://github.com/daoswald/Bytes-Random-Secure/pull/4"
},
{
"type": "WEB",
"url": "https://security.metacpan.org/patches/B/Bytes-Random-Secure/0.29/CVE-2026-11625-r1.patch"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11702"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41564"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R8X8-RV8C-J266
Vulnerability from github – Published: 2024-05-18 21:30 – Updated: 2025-11-05 00:31QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values.
{
"affected": [],
"aliases": [
"CVE-2024-36048"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-18T21:15:47Z",
"severity": "CRITICAL"
},
"details": "QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values.",
"id": "GHSA-r8x8-rv8c-j266",
"modified": "2025-11-05T00:31:17Z",
"published": "2024-05-18T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36048"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560368"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGB6KUPJFQWUBKXVDPJUMAD6KNJJEWPW"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZOOZZZSK5PNRHFGQMUGUHVYWLILFJCRS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZPHAI3DKDCIU6XLNS6PV6GFS2PHH3GZM"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGB6KUPJFQWUBKXVDPJUMAD6KNJJEWPW"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZOOZZZSK5PNRHFGQMUGUHVYWLILFJCRS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZPHAI3DKDCIU6XLNS6PV6GFS2PHH3GZM"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RG3C-6WCJ-37GM
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:15When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.
{
"affected": [],
"aliases": [
"CVE-2018-12384"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-29T15:29:00Z",
"severity": "MODERATE"
},
"details": "When handling a SSLv2-compatible ClientHello request, the server doesn\u0027t generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.",
"id": "GHSA-rg3c-6wcj-37gm",
"modified": "2024-04-04T00:15:45Z",
"published": "2022-05-24T16:44:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12384"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V9GV-XP36-JGJ8
Vulnerability from github – Published: 2026-06-30 16:15 – Updated: 2026-06-30 16:15Impact
Shovel and Federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret.
This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log.
Patched versions correctly use a cluster-wide secret for that purpose.
Patches
Patched versions:
3.10.23.9.183.8.32
Workarounds
Disable Shovel and Federation plugins.
Credits
RabbitMQ core team would like to thank Lajos @luos Gerecs and Anh Nguyen from Erlang Solutions for responsibly disclosing and working with us on a patch for this vulnerability.
For more information
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "rabbit_common"
},
"ranges": [
{
"events": [
{
"introduced": "3.10.0"
},
{
"fixed": "3.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Hex",
"name": "rabbit_common"
},
"ranges": [
{
"events": [
{
"introduced": "3.9.0"
},
{
"fixed": "3.9.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Hex",
"name": "rabbit_common"
},
"ranges": [
{
"events": [
{
"introduced": "3.8.0"
},
{
"fixed": "3.8.32"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31008"
],
"database_specific": {
"cwe_ids": [
"CWE-330",
"CWE-335"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T16:15:48Z",
"nvd_published_at": "2022-10-06T18:16:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nShovel and Federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt\nthe URI was seeded with a predictable secret.\n\nThis means that in case of certain exceptions related to Shovel and Federation plugins,\nreasonably easily deobfuscatable data could appear in the node log.\n\nPatched versions correctly use a cluster-wide secret for that purpose.\n\n### Patches\n\nPatched versions:\n\n * `3.10.2`\n * `3.9.18`\n * `3.8.32`\n\n### Workarounds\n\nDisable Shovel and Federation plugins.\n\n### Credits\n\nRabbitMQ core team would like to thank Lajos @luos Gerecs and Anh Nguyen from Erlang Solutions\nfor responsibly disclosing and working with us on a patch for this vulnerability.\n\n### For more information\n\n * [Mailing list](https://groups.google.com/forum/#!forum/rabbitmq-users)\n * [Community Slack](https://rabbitmq-slack.herokuapp.com/)",
"id": "GHSA-v9gv-xp36-jgj8",
"modified": "2026-06-30T16:15:48Z",
"published": "2026-06-30T16:15:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31008"
},
{
"type": "WEB",
"url": "https://github.com/rabbitmq/rabbitmq-server/pull/4841"
},
{
"type": "WEB",
"url": "https://github.com/rabbitmq/rabbitmq-server/commit/c22e1cb20e656d211e025c417d1fc75a9067b717"
},
{
"type": "PACKAGE",
"url": "https://github.com/rabbitmq/rabbitmq-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "RabbitMQ has predictable credential obfuscation seed value used in Shovel and Federation plugins"
}
GHSA-VCWJ-3Q56-R32W
Vulnerability from github – Published: 2026-06-26 09:30 – Updated: 2026-07-01 18:31Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes.
When an object is initialised before forking, then the internal state for the PRNG is shared across processes and identical random streams will be produced.
Secrets generated in multiprocess applications are predictable across processes.
{
"affected": [],
"aliases": [
"CVE-2026-11702"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T09:16:33Z",
"severity": "HIGH"
},
"details": "Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes.\n\nWhen an object is initialised before forking, then the internal state for the PRNG is shared across processes and identical random streams will be produced.\n\nSecrets generated in multiprocess applications are predictable across processes.",
"id": "GHSA-vcwj-3q56-r32w",
"modified": "2026-07-01T18:31:23Z",
"published": "2026-06-26T09:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11702"
},
{
"type": "WEB",
"url": "https://github.com/daoswald/Bytes-Random-Secure-Tiny/issues/6"
},
{
"type": "WEB",
"url": "https://github.com/daoswald/Bytes-Random-Secure-Tiny/pull/7"
},
{
"type": "WEB",
"url": "https://security.metacpan.org/patches/B/Bytes-Random-Secure-Tiny/1.011/CVE-2026-11702-r1.patch"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11625"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41564"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VFP4-XX6M-7VF6
Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2024-02-12 15:33Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the Elasticsearch credentials generated by ECK.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/elastic/cloud-on-k8s"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7010"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-13T20:25:19Z",
"nvd_published_at": "2020-06-03T18:15:22Z",
"severity": "HIGH"
},
"details": "Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the Elasticsearch credentials generated by ECK.",
"id": "GHSA-vfp4-xx6m-7vf6",
"modified": "2024-02-12T15:33:39Z",
"published": "2022-02-15T01:57:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7010"
},
{
"type": "WEB",
"url": "https://www.elastic.co/community/security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Cryptographic Issues in ECK"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.