Total
109 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-10754 | 1 Apereo | 1 Central Authentication Service | 2024-08-04 | 8.1 High |
| Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. | ||||
| CVE-2019-10755 | 1 Pac4j | 1 Pac4j | 2024-08-04 | 4.9 Medium |
| The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml. | ||||
| CVE-2019-8113 | 1 Magento | 1 Magento | 2024-08-04 | 5.3 Medium |
| Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration. | ||||
| CVE-2019-7860 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| A cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | ||||
| CVE-2019-7855 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation. | ||||
| CVE-2019-5420 | 3 Debian, Fedoraproject, Rubyonrails | 3 Debian Linux, Fedora, Rails | 2024-08-04 | 9.8 Critical |
| A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit. | ||||
| CVE-2019-5440 | 1 Revive-adserver | 1 Revive Adserver | 2024-08-04 | N/A |
| Use of cryptographically weak PRNG in the password recovery token generation of Revive Adserver < v4.2.1 causes a potential authentication bypass attack if an attacker exploits the password recovery functionality. In lib/OA/Dal/PasswordRecovery.php, the function generateRecoveryId() generates a password reset token that relies on the PHP uniqid function and consequently depends only on the current server time, which is often visible in an HTTP Date header. | ||||
| CVE-2020-28924 | 2 Fedoraproject, Rclone | 2 Fedora, Rclone | 2024-08-04 | 7.5 High |
| An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed. | ||||
| CVE-2020-28642 | 1 Infinitewp | 1 Infinitewp | 2024-08-04 | 9.8 Critical |
| In InfiniteWP Admin Panel before 3.1.12.3, resetPasswordSendMail generates a weak password-reset code, which makes it easier for remote attackers to conduct admin Account Takeover attacks. | ||||
| CVE-2020-11616 | 2 Intel, Nvidia | 2 Bmc Firmware, Dgx-1 | 2024-08-04 | 7.5 High |
| NVIDIA DGX servers, all BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which the Pseudo-Random Number Generator (PRNG) algorithm used in the JSOL package that implements the IPMI protocol is not cryptographically strong, which may lead to information disclosure. | ||||
| CVE-2020-10560 | 1 Opensource-socialnetwork | 1 Open Source Social Network | 2024-08-04 | 5.9 Medium |
| An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserver. This can lead to further compromise. The attacker must conduct a brute-force attack against the SiteKey to insert into a crafted URL for components/OssnComments/ossn_com.php and/or libraries/ossn.lib.upgrade.php. | ||||
| CVE-2021-45489 | 1 Netbsd | 1 Netbsd | 2024-08-04 | 7.5 High |
| In NetBSD through 9.2, the IPv6 Flow Label generation algorithm employs a weak cryptographic PRNG. | ||||
| CVE-2021-45484 | 1 Netbsd | 1 Netbsd | 2024-08-04 | 7.5 High |
| In NetBSD through 9.2, the IPv6 fragment ID generation algorithm employs a weak cryptographic PRNG. | ||||
| CVE-2021-43799 | 1 Zulip | 1 Zulip | 2024-08-04 | 8.6 High |
| Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which RabbitMQ opens; this includes port 25672, the RabbitMQ distribution port, which is used as a management port. RabbitMQ's default "cookie" which protects this port is generated using a weak PRNG, which limits the entropy of the password to at most 36 bits; in practicality, the seed for the randomizer is biased, resulting in approximately 20 bits of entropy. If other firewalls (at the OS or network level) do not protect port 25672, a remote attacker can brute-force the 20 bits of entropy in the "cookie" and leverage it for arbitrary execution of code as the rabbitmq user. They can also read all data which is sent through RabbitMQ, which includes all message traffic sent by users. Version 4.9 contains a patch for this vulnerability. As a workaround, ensure that firewalls prevent access to ports 5672 and 25672 from outside the Zulip server. | ||||
| CVE-2021-37553 | 1 Jetbrains | 1 Youtrack | 2024-08-04 | 7.5 High |
| In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used. | ||||
| CVE-2021-34430 | 1 Eclipse | 1 Tinydtls | 2024-08-04 | 7.5 High |
| Eclipse TinyDTLS through 0.9-rc1 relies on the rand function in the C library, which makes it easier for remote attackers to compute the master key and then decrypt DTLS traffic. | ||||
| CVE-2021-29245 | 1 Btcpayserver | 1 Btcpay Server | 2024-08-03 | 5.3 Medium |
| BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key. | ||||
| CVE-2021-22948 | 1 Revive-adserver | 1 Revive Adserver | 2024-08-03 | 7.1 High |
| Vulnerability in the generation of session IDs in revive-adserver < 5.3.0, based on the cryptographically insecure uniqid() PHP function. Under some circumstances, an attacker could theoretically be able to brute force session IDs in order to take over a specific account. | ||||
| CVE-2021-3990 | 1 Showdoc | 1 Showdoc | 2024-08-03 | 6.5 Medium |
| showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | ||||
| CVE-2021-3678 | 1 Showdoc | 1 Showdoc | 2024-08-03 | 5.9 Medium |
| showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | ||||