{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-02-25T00:00:00", "descriptions": [{"lang": "en", "value": "The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy, which makes it easier for context-dependent attackers to guess values that were intended to be unpredictable, as demonstrated by session cookies generated by using the uniqid function."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2010-12-07T10:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "ADV-2010-0479", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2010/0479"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.php.net/releases/5_2_13.php"}, {"name": "RHSA-2010:0919", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://www.redhat.com/support/errata/RHSA-2010-0919.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.php.net/ChangeLog-5.php"}, {"name": "38708", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/38708"}, {"name": "38430", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/38430"}, {"name": "42410", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/42410"}, {"name": "ADV-2010-3081", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2010/3081"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2010-1128", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy, which makes it easier for context-dependent attackers to guess values that were intended to be unpredictable, as demonstrated by session cookies generated by using the uniqid function."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "ADV-2010-0479", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2010/0479"}, {"name": "http://www.php.net/releases/5_2_13.php", "refsource": "CONFIRM", "url": "http://www.php.net/releases/5_2_13.php"}, {"name": "RHSA-2010:0919", "refsource": "REDHAT", "url": "http://www.redhat.com/support/errata/RHSA-2010-0919.html"}, {"name": "http://www.php.net/ChangeLog-5.php", "refsource": "CONFIRM", "url": "http://www.php.net/ChangeLog-5.php"}, {"name": "38708", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/38708"}, {"name": "38430", "refsource": "BID", "url": "http://www.securityfocus.com/bid/38430"}, {"name": "42410", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/42410"}, {"name": "ADV-2010-3081", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2010/3081"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T01:14:06.300Z"}, "title": "CVE Program Container", "references": [{"name": "ADV-2010-0479", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2010/0479"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.php.net/releases/5_2_13.php"}, {"name": "RHSA-2010:0919", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://www.redhat.com/support/errata/RHSA-2010-0919.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.php.net/ChangeLog-5.php"}, {"name": "38708", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/38708"}, {"name": "38430", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/38430"}, {"name": "42410", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/42410"}, {"name": "ADV-2010-3081", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2010/3081"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2010-1128", "datePublished": "2010-03-26T20:00:00", "dateReserved": "2010-03-26T00:00:00", "dateUpdated": "2024-08-07T01:14:06.300Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "438EC66E-3D70-4780-AC53-22F850818612", "versionEndIncluding": "5.2.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "CD02D837-FD28-4E0F-93F8-25E8D1C84A99", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "88358D1E-BE6F-4CE3-A522-83D1FA4739E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "D8B97B03-7DA7-4A5F-89B4-E78CAB20DE17", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "86767200-6C9C-4C3E-B111-0E5BE61E197B", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "B00B416D-FF23-4C76-8751-26D305F0FA0F", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "CCB6CDDD-70D3-4004-BCE0-8C4723076103", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "A782CA26-9C38-40A8-92AE-D47B14D2FCE3", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "1C0E7E2A-4770-4B68-B74C-5F5A6E1876DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "0892C89E-9389-4452-B7E0-981A763CD426", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.9:*:*:*:*:*:*:*", "matchCriteriaId": "635F3CB1-B042-43CC-91AB-746098018D8C", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.10:*:*:*:*:*:*:*", "matchCriteriaId": "E1F32DDF-17A3-45B5-9227-833EBEBD3923", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:5.2.11:*:*:*:*:*:*:*", "matchCriteriaId": "2CDFB7E9-8510-430F-BFBC-FD811D60DC78", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy, which makes it easier for context-dependent attackers to guess values that were intended to be unpredictable, as demonstrated by session cookies generated by using the uniqid function."}, {"lang": "es", "value": "El Linear Congruential Generator (LCG) en PHP anteriores a v5.2.13 no provee la entrop\u00eda esperada, lo que hace m\u00e1s f\u00e1cil para atacantes dependiendo del contexto adivinar valores que deber\u00edan ser impredecibles, como se demostr\u00f3 con cookies de sesi\u00f3n generadas utilizando la funci\u00f3n uniqid."}], "id": "CVE-2010-1128", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2010-03-26T20:30:00.877", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/38708"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/42410"}, {"source": "cve@mitre.org", "url": "http://www.php.net/ChangeLog-5.php"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.php.net/releases/5_2_13.php"}, {"source": "cve@mitre.org", "url": "http://www.redhat.com/support/errata/RHSA-2010-0919.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/38430"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2010/0479"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2010/3081"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/38708"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/42410"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.php.net/ChangeLog-5.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.php.net/releases/5_2_13.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.redhat.com/support/errata/RHSA-2010-0919.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/38430"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2010/0479"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2010/3081"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=577582\n\nThe Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/", "lastModified": "2010-04-14T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2010:0919", "cpe": "cpe:/o:redhat:enterprise_linux:4", "package": "php-0:4.3.9-3.31", "product_name": "Red Hat Enterprise Linux 4", "release_date": "2010-11-29T00:00:00Z"}, {"advisory": "RHSA-2010:0919", "cpe": "cpe:/o:redhat:enterprise_linux:5", "package": "php-0:5.1.6-27.el5_5.3", "product_name": "Red Hat Enterprise Linux 5", "release_date": "2010-11-29T00:00:00Z"}], "bugzilla": {"description": "php: LCG entropy weakness", "id": "577582", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=577582"}, "csaw": false, "cvss": {"cvss_base_score": "2.6", "cvss_scoring_vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "verified"}, "details": ["The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy, which makes it easier for context-dependent attackers to guess values that were intended to be unpredictable, as demonstrated by session cookies generated by using the uniqid function."], "name": "CVE-2010-1128", "public_date": "2010-02-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2010-1128\nhttps://nvd.nist.gov/vuln/detail/CVE-2010-1128"], "statement": "This issue is not planned to be fixed in Red Hat Enterprise Linux 3 due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important and critical impact are addressed.\nFor further information about the Errata Support Policy, visit:\nhttp://www.redhat.com/security/updates/errata", "threat_severity": "Low"}