Common Weakness Enumeration

CWE-335

Allowed

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

Abstraction: Base · Status: Draft

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

53 vulnerabilities reference this CWE, most recent first.

GHSA-VJFH-J2FF-QXW8

Vulnerability from github – Published: 2022-10-14 12:00 – Updated: 2025-05-16 15:30
VLAI
Details

D-Link COVR 1200,1202,1203 v1.08 was discovered to have a predictable seed in a Pseudo-Random Number Generator.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42159"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-335",
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-13T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "D-Link COVR 1200,1202,1203 v1.08 was discovered to have a predictable seed in a Pseudo-Random Number Generator.",
  "id": "GHSA-vjfh-j2ff-qxw8",
  "modified": "2025-05-16T15:30:30Z",
  "published": "2022-10-14T12:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42159"
    },
    {
      "type": "WEB",
      "url": "https://github.com/14isnot40/vul_discovery/blob/master/D-Link%20COVR%2012xx%20.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com/en/security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X5R5-Q987-6XF6

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. IBM X-Force ID: 139071.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-335"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-22T12:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. IBM X-Force ID: 139071.",
  "id": "GHSA-x5r5-q987-6xf6",
  "modified": "2022-05-13T01:19:07Z",
  "published": "2022-05-13T01:19:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1426"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/139071"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22013756"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105580"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041012"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X62R-6WV3-49PM

Vulnerability from github – Published: 2024-02-02 00:31 – Updated: 2024-02-09 21:30
VLAI
Details

Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4472"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-335"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-01T22:15:55Z",
    "severity": "CRITICAL"
  },
  "details": "Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application.",
  "id": "GHSA-x62r-6wv3-49pm",
  "modified": "2024-02-09T21:30:57Z",
  "published": "2024-02-02T00:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4472"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2024/MNDT-2024-0002.md"
    },
    {
      "type": "WEB",
      "url": "https://www.objectplanet.com/opinio/changelog.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.