CWE-338
AllowedUse of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Abstraction: Base · Status: Draft
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
293 vulnerabilities reference this CWE, most recent first.
GHSA-QP5M-38PC-FMJ4
Vulnerability from github – Published: 2022-05-14 01:51 – Updated: 2022-05-14 01:51A lottery smart contract implementation for Greedy 599, an Ethereum gambling game, generates a random value that is predictable via an external contract call. The developer used the extcodesize() function to prevent a malicious contract from being called, but the attacker can bypass it by writing the core code in the constructor of their exploit code. Therefore, it allows attackers to always win and get rewards.
{
"affected": [],
"aliases": [
"CVE-2018-17877"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-23T21:30:00Z",
"severity": "HIGH"
},
"details": "A lottery smart contract implementation for Greedy 599, an Ethereum gambling game, generates a random value that is predictable via an external contract call. The developer used the extcodesize() function to prevent a malicious contract from being called, but the attacker can bypass it by writing the core code in the constructor of their exploit code. Therefore, it allows attackers to always win and get rewards.",
"id": "GHSA-qp5m-38pc-fmj4",
"modified": "2022-05-14T01:51:54Z",
"published": "2022-05-14T01:51:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17877"
},
{
"type": "WEB",
"url": "https://github.com/TEAM-C4B/CVE-LIST/tree/master/CVE-2018-17877"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QPX5-6WW4-HP56
Vulnerability from github – Published: 2024-08-13 18:31 – Updated: 2024-08-13 18:31Generation of weak and predictable Initialization Vector (IV) in PMFW (Power Management Firmware) may allow an attacker with privileges to reuse IV values to reverse-engineer debug data, potentially resulting in information disclosure.
{
"affected": [],
"aliases": [
"CVE-2023-31305"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-13T17:15:20Z",
"severity": "LOW"
},
"details": "Generation of weak and predictable Initialization Vector (IV) in PMFW (Power Management Firmware) may allow an attacker with privileges to reuse IV values to reverse-engineer debug data, potentially resulting in information disclosure.",
"id": "GHSA-qpx5-6ww4-hp56",
"modified": "2024-08-13T18:31:15Z",
"published": "2024-08-13T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31305"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6005.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QX3R-XM4V-RGRH
Vulnerability from github – Published: 2022-05-02 03:43 – Updated: 2024-02-15 06:31The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 0627, and 3.1.1 0815 use the rand library function to generate a certain recovery key, which makes it easier for local users to determine this key via a brute-force attack.
{
"affected": [],
"aliases": [
"CVE-2009-3278"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-09-21T19:30:00Z",
"severity": "MODERATE"
},
"details": "The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 0627, and 3.1.1 0815 use the rand library function to generate a certain recovery key, which makes it easier for local users to determine this key via a brute-force attack.",
"id": "GHSA-qx3r-xm4v-rgrh",
"modified": "2024-02-15T06:31:31Z",
"published": "2022-05-02T03:43:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3278"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/36793"
},
{
"type": "WEB",
"url": "http://www.baseline-security.de/downloads/BSC-Qnap_Crypto_Backdoor-CVE-2009-3200.txt"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/506607/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/36467"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R2F4-W3VH-WPXJ
Vulnerability from github – Published: 2024-12-05 15:31 – Updated: 2024-12-05 18:31Use of cryptographically weak pseudo-random number generator (PRNG) vulnerability in the SonicWall SMA100 SSLVPN backup code generator that, in certain cases, can be predicted by an attacker, potentially exposing the generated secret.
{
"affected": [],
"aliases": [
"CVE-2024-53702"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-05T14:15:21Z",
"severity": "MODERATE"
},
"details": "Use of cryptographically weak pseudo-random number generator (PRNG) vulnerability in the SonicWall SMA100 SSLVPN backup code generator that, in certain cases, can be predicted by an attacker, potentially exposing the generated secret.",
"id": "GHSA-r2f4-w3vh-wpxj",
"modified": "2024-12-05T18:31:03Z",
"published": "2024-12-05T15:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53702"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R3M8-7H2R-2MP6
Vulnerability from github – Published: 2024-12-29 09:30 – Updated: 2024-12-31 21:30The Crypt::Random::Source package before 0.13 for Perl has a fallback to the built-in rand() function, which is not a secure source of random bits.
{
"affected": [],
"aliases": [
"CVE-2018-25107"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-29T07:15:05Z",
"severity": "HIGH"
},
"details": "The Crypt::Random::Source package before 0.13 for Perl has a fallback to the built-in rand() function, which is not a secure source of random bits.",
"id": "GHSA-r3m8-7h2r-2mp6",
"modified": "2024-12-31T21:30:45Z",
"published": "2024-12-29T09:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25107"
},
{
"type": "WEB",
"url": "https://github.com/karenetheridge/Crypt-Random-Source/pull/3"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/ETHER/Crypt-Random-Source-0.13/changes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R49C-4Q8X-X33V
Vulnerability from github – Published: 2026-07-01 09:30 – Updated: 2026-07-01 18:31CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources.
The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible.
An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.
{
"affected": [],
"aliases": [
"CVE-2026-56016"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T08:16:21Z",
"severity": "MODERATE"
},
"details": "CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources.\n\nThe generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl\u0027s rand() is unsuitable for security purposes because it is predictable and reversible.\n\nAn attacker who predicts a session id can impersonate the corresponding session and bypass authentication.",
"id": "GHSA-r49c-4q8x-x33v",
"modified": "2026-07-01T18:31:47Z",
"published": "2026-07-01T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56016"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/MARKSTOS/CGI-Session-4.49/changes"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/MARKSTOS/CGI-Session-4.49/source/lib/CGI/Session/ID/md5.pm"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/07/01/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R6G6-6H6F-XCMJ
Vulnerability from github – Published: 2026-04-15 18:31 – Updated: 2026-04-16 15:31Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts.
The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl's built-in rand function.
The rand function is unsuitable for cryptographic use.
These salts are used for password hashing.
{
"affected": [],
"aliases": [
"CVE-2026-5088"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-15T08:16:16Z",
"severity": "HIGH"
},
"details": "Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts.\n\nThe _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl\u0027s built-in rand function.\n\nThe rand function is unsuitable for cryptographic use.\n\nThese salts are used for password hashing.",
"id": "GHSA-r6g6-6h6f-xcmj",
"modified": "2026-04-16T15:31:31Z",
"published": "2026-04-15T18:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5088"
},
{
"type": "WEB",
"url": "https://metacpan.org/pod/Crypt::URandom"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/JDEGUEST/Apache2-API-v0.5.2/view/lib/Apache2/API/Password.pod"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/JDEGUEST/Apache2-API-v0.5.3/changes"
},
{
"type": "WEB",
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/15/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/15/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R6MR-WMGJ-F864
Vulnerability from github – Published: 2026-03-31 18:31 – Updated: 2026-04-01 18:36PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely.
PAGI::Middleware::Session::Store::Cookie attempts to read bytes from the /dev/urandom device directly. If that fails (for example, on systems without the device, such as Windows), then it will emit a warning that recommends the user install Crypt::URandom, and then return a string of random bytes generated by the built-in rand function, which is unsuitable for cryptographic applications.
This modules does not use the Crypt::URandom module, and installing it will not fix the problem.
The random bytes are used for generating an initialisation vector (IV) to encrypt the cookie.
A predictable IV may make it easier for malicious users to decrypt and tamper with the session data that is stored in the cookie.
{
"affected": [],
"aliases": [
"CVE-2026-5087"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-31T16:16:35Z",
"severity": "HIGH"
},
"details": "PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely.\n\nPAGI::Middleware::Session::Store::Cookie attempts to read bytes from the /dev/urandom device directly. If that fails (for example, on systems without the device, such as Windows), then it will emit a warning that recommends the user install Crypt::URandom, and then return a string of random bytes generated by the built-in rand function, which is unsuitable for cryptographic applications.\n\nThis modules does not use the Crypt::URandom module, and installing it will not fix the problem.\n\nThe random bytes are used for generating an initialisation vector (IV) to encrypt the cookie.\n\nA predictable IV may make it easier for malicious users to decrypt and tamper with the session data that is stored in the cookie.",
"id": "GHSA-r6mr-wmgj-f864",
"modified": "2026-04-01T18:36:34Z",
"published": "2026-03-31T18:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5087"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/JJNAPIORK/PAGI-Middleware-Session-Store-Cookie-0.001003/source/lib/PAGI/Middleware/Session/Store/Cookie.pm#L156-173"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/JJNAPIORK/PAGI-Middleware-Session-Store-Cookie-0.001004/changes"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/03/31/10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R79P-JP6R-P5PM
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, QCA6584, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 820A, SD 845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016, MAC address randomization performed during probe requests is not done properly due to a flawed RNG in use.
{
"affected": [],
"aliases": [
"CVE-2018-11290"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-20T13:29:00Z",
"severity": "HIGH"
},
"details": "In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, QCA6584, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 820A, SD 845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016, MAC address randomization performed during probe requests is not done properly due to a flawed RNG in use.",
"id": "GHSA-r79p-jp6r-p5pm",
"modified": "2022-05-13T01:49:11Z",
"published": "2022-05-13T01:49:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11290"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2018-09-01#qualcomm-closed-source-components"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins"
},
{
"type": "WEB",
"url": "http://support.blackberry.com/kb/articleDetail?language=en_US\u0026articleNumber=000051618"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RC75-CF5C-MXVH
Vulnerability from github – Published: 2019-11-06 17:06 – Updated: 2021-08-18 22:08The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.pac4j:pac4j-saml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10755"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": true,
"github_reviewed_at": "2019-11-05T19:56:04Z",
"nvd_published_at": "2019-09-23T23:15:00Z",
"severity": "MODERATE"
},
"details": "The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG\u0027s algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml.",
"id": "GHSA-rc75-cf5c-mxvh",
"modified": "2021-08-18T22:08:17Z",
"published": "2019-11-06T17:06:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10755"
},
{
"type": "WEB",
"url": "https://github.com/pac4j/pac4j/commit/34d5b1028a2db201ee81ec51b52a782fe073f609"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGPAC4J-467407"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Use of Cryptographically Weak Pseudo-Random Number Generator in org.pac4j:pac4j-saml"
}
Mitigation
Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.
No CAPEC attack patterns related to this CWE.