{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-04-29T20:00:00.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java"}, {"tags": ["x_refsource_MISC"], "url": "https://bitcoin.org/en/alert/2013-08-11-android"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-7372", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf", "refsource": "MISC", "url": "http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf"}, {"name": "https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java", "refsource": "CONFIRM", "url": "https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java"}, {"name": "https://bitcoin.org/en/alert/2013-08-11-android", "refsource": "MISC", "url": "https://bitcoin.org/en/alert/2013-08-11-android"}, {"name": "http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html", "refsource": "CONFIRM", "url": "http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T18:01:20.462Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bitcoin.org/en/alert/2013-08-11-android"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-7372", "datePublished": "2014-04-29T20:00:00.000Z", "dateReserved": "2014-04-29T00:00:00.000Z", "dateUpdated": "2024-09-17T02:33:10.764Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:harmony:*:m3:*:*:*:*:*:*", "matchCriteriaId": "8C17E42B-0DCC-40B5-9F06-470B5D2D5658", "versionEndIncluding": "6.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C2C07AF-6B89-4B53-826B-BBB1E1A61D33", "versionEndIncluding": "4.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "A39C31E3-75C0-4E92-A6B5-7D67B22E3449", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "BB318EA4-2908-4B91-8DBB-20008FDF528A", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "1F4E46A9-B652-47CE-92E8-01021E57724B", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "AB9B53C6-AE84-4A45-B83E-8E5CE44F7B93", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "36DD8E3F-6308-4680-B932-4CBD8E58A7FB", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "1DA9F0F7-D592-481E-884C-B1A94E702825", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "6CD857E7-B878-49F9-BDDA-93DDEBB0B42B", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "matchCriteriaId": "FBDABB6C-FFF9-4E79-9EF1-BDC0BBDEA9F1", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "A47AB858-36DE-4330-8CAC-1B46C5C8DA80", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "49413FF7-7910-4F74-B106-C3170612CB2A", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "matchCriteriaId": "A2467F65-A3B7-4E45-A9A5-E5A6EFD99D7B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013."}, {"lang": "es", "value": "La funci\u00f3n engineNextBytes en classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java en la implementaci\u00f3n SecureRandom en Apache Harmony hasta 6.0M3, utilizado en Java Cryptography Architecture (JCA) en Android anterior a 4.4 y otros productos, cuando el usuario no proporciona una semilla, la funci\u00f3n usa utiliza un valor de desplazamiento incorrecto, lo que facilita a un atacante poder anular los mecanismos de protecci\u00f3n criptogr\u00e1fica mediante el aprovechamiento de la previsibilidad PRNG resultante, tal y como se demostr\u00f3 activamente contra las aplicaciones Bitcoin Wallet en agosto 2013."}], "id": "CVE-2013-7372", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-04-29T20:55:08.933", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java"}, {"source": "cve@mitre.org", "url": "https://bitcoin.org/en/alert/2013-08-11-android"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bitcoin.org/en/alert/2013-08-11-android"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}