Total
134 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-45229 | 2 Redhat, Tianocore | 3 Enterprise Linux, Rhel Eus, Edk2 | 2025-02-13 | 6.5 Medium |
| EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. | ||||
| CVE-2023-28835 | 1 Nextcloud | 1 Nextcloud Server | 2025-02-11 | 3.5 Low |
| Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. This issue only affects users who do not have a password policy enabled, so enabling a password policy is an effective mitigation for users unable to upgrade. | ||||
| CVE-2023-31290 | 1 Trustwallet | 2 Trust Wallet Browser Extension, Trust Wallet Core | 2025-01-30 | 5.9 Medium |
| Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit value as an input seed, resulting in only four billion possible mnemonics. The affected versions of the browser extension are 0.0.172 through 0.0.182. To steal funds efficiently, an attacker can identify all Ethereum addresses created since the 0.0.172 release, and check whether they are Ethereum addresses that could have been created by this extension. To respond to the risk, affected users need to upgrade the product version and also move funds to a new wallet address. | ||||
| CVE-2025-22376 | 2025-01-21 | 5.3 Medium | ||
| In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, the default nonce is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong. | ||||
| CVE-2023-28395 | 1 Propumpservice | 2 Osprey Pump Controller, Osprey Pump Controller Firmware | 2025-01-16 | 8.3 High |
| Osprey Pump Controller version 1.01 is vulnerable to a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass. This may allow an attacker to hijack a session by predicting the session id and gain unauthorized access to the product. | ||||
| CVE-2023-2884 | 1 Cbot | 2 Cbot Core, Cbot Panel | 2025-01-15 | 9.8 Critical |
| Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Use of Insufficiently Random Values vulnerability in CBOT Chatbot allows Signature Spoofing by Key Recreation.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | ||||
| CVE-2024-40762 | 2025-01-09 | 9.8 Critical | ||
| Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass. | ||||
| CVE-2023-32549 | 1 Canonical | 1 Landscape | 2025-01-07 | 6.8 Medium |
| Landscape cryptographic keys were insecurely generated with a weak pseudo-random generator. | ||||
| CVE-2002-20002 | 2025-01-06 | 5.4 Medium | ||
| The Net::EasyTCP package before 0.15 for Perl always uses Perl's builtin rand(), which is not a strong random number generator, for cryptographic keys. | ||||
| CVE-2025-21617 | 2025-01-06 | N/A | ||
| Guzzle OAuth Subscriber signs Guzzle requests using OAuth 1.0. Prior to 0.8.1, Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source. This can leave servers vulnerable to replay attacks when TLS is not used. This vulnerability is fixed in 0.8.1. | ||||
| CVE-2023-34363 | 1 Progress | 1 Datadirect Odbc Oracle Wire Protocol Driver | 2025-01-06 | 5.9 Medium |
| An issue was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. When using Oracle Advanced Security (OAS) encryption, if an error is encountered initializing the encryption object used to encrypt data, the code falls back to a different encryption mechanism that uses an insecure random number generator to generate the private key. It is possible for a well-placed attacker to predict the output of this random number generator, which could lead to an attacker decrypting traffic between the driver and the database server. The vulnerability does not exist if SSL / TLS encryption is used. | ||||
| CVE-2022-48506 | 1 Dominionvoting | 1 Democracy Suite | 2025-01-02 | 2.4 Low |
| A flawed pseudorandom number generator in Dominion Voting Systems ImageCast Precinct (ICP and ICP2) and ImageCast Evolution (ICE) scanners allows anyone to determine the order in which ballots were cast from public ballot-level data, allowing deanonymization of voted ballots, in several types of scenarios. This issue was observed for use of the following versions of Democracy Suite: 5.2, 5.4-NM, 5.5, 5.5-A, 5.5-B, 5.5-C, 5.5-D, 5.7-A, 5.10, 5.10A, 5.15. NOTE: the Democracy Suite 5.17 EAC Certificate of Conformance mentions "Improved pseudo random number algorithm," which may be relevant. | ||||
| CVE-2018-25107 | 2024-12-31 | 7.5 High | ||
| The Crypt::Random::Source package before 0.13 for Perl has a fallback to the built-in rand() function, which is not a secure source of random bits. | ||||
| CVE-2024-53702 | 1 Sonicwall | 1 Sma100 Firmware | 2024-12-05 | 5.3 Medium |
| Use of cryptographically weak pseudo-random number generator (PRNG) vulnerability in the SonicWall SMA100 SSLVPN backup code generator that, in certain cases, can be predicted by an attacker, potentially exposing the generated secret. | ||||
| CVE-2024-45751 | 2024-11-30 | 5.9 Medium | ||
| tgt (aka Linux target framework) before 1.0.93 attempts to achieve entropy by calling rand without srand. The PRNG seed is always 1, and thus the sequence of challenges is always identical. | ||||
| CVE-2024-5264 | 1 Thalesgroup | 1 Luna Eft | 2024-11-21 | 5.9 Medium |
| Network Transfer with AES KHT in Thales Luna EFT 2.1 and above allows a user with administrative console access to access backups taken via offline analysis | ||||
| CVE-2024-38353 | 1 Hackmd | 1 Codimd | 2024-11-21 | 5.3 Medium |
| CodiMD allows realtime collaborative markdown notes on all platforms. CodiMD before 2.5.4 is missing authentication and access control vulnerability allowing an unauthenticated attacker to gain unauthorised access to image data uploaded to CodiMD. CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image's URL can gain unauthorised access to uploaded image data. Due to the insecure random filename generation in the underlying Formidable library, an attacker can determine the filenames for previously uploaded images and the likelihood of this issue being exploited is increased. This vulnerability is fixed in 2.5.4. | ||||
| CVE-2024-34538 | 2024-11-21 | 7.5 High | ||
| Mateso PasswordSafe through 8.13.9.26689 has Weak Cryptography. | ||||
| CVE-2024-29868 | 2024-11-21 | 9.1 Critical | ||
| Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue. | ||||
| CVE-2024-24554 | 2024-11-21 | N/A | ||
| Bludit uses predictable methods in combination with the MD5 hashing algorithm to generate sensitive tokens such as the API token and the user token. This allows attackers to authenticate against the Bludit API. | ||||