Total
129 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43799 | 1 Zulip | 1 Zulip | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
| Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which RabbitMQ opens; this includes port 25672, the RabbitMQ distribution port, which is used as a management port. RabbitMQ's default "cookie" which protects this port is generated using a weak PRNG, which limits the entropy of the password to at most 36 bits; in practicality, the seed for the randomizer is biased, resulting in approximately 20 bits of entropy. If other firewalls (at the OS or network level) do not protect port 25672, a remote attacker can brute-force the 20 bits of entropy in the "cookie" and leverage it for arbitrary execution of code as the rabbitmq user. They can also read all data which is sent through RabbitMQ, which includes all message traffic sent by users. Version 4.9 contains a patch for this vulnerability. As a workaround, ensure that firewalls prevent access to ports 5672 and 25672 from outside the Zulip server. | |||||
| CVE-2021-3990 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | |||||
| CVE-2021-3678 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | |||||
| CVE-2021-3538 | 1 Satori | 1 Uuid | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw was found in github.com/satori/go.uuid in versions from commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45. Due to insecure randomness in the g.rand.Read function the generated UUIDs are predictable for an attacker. | |||||
| CVE-2021-3047 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 3.5 LOW | 4.2 MEDIUM |
| A cryptographically weak pseudo-random number generator (PRNG) is used during authentication to the Palo Alto Networks PAN-OS web interface. This enables an authenticated attacker, with the capability to observe their own authentication secrets over a long duration on the PAN-OS appliance, to impersonate another authenticated web interface administrator's session. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.19; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.4. PAN-OS 10.1 versions are not impacted. | |||||
| CVE-2021-37553 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used. | |||||
| CVE-2021-36171 | 1 Fortinet | 1 Fortiportal | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| The use of a cryptographically weak pseudo-random number generator in the password reset feature of FortiPortal before 6.0.6 may allow a remote unauthenticated attacker to predict parts of or the whole newly generated password within a given time frame. | |||||
| CVE-2021-29245 | 1 Btcpayserver | 1 Btcpay Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key. | |||||
| CVE-2021-27913 | 1 Acquia | 1 Mautic | 2024-11-21 | 3.5 LOW | 3.5 LOW |
| The function mt_rand is used to generate session tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate session tokens for accounts that are not under his/her control This issue affects: Mautic Mautic versions prior to 3.3.4; versions prior to 4.0.0. | |||||
| CVE-2021-23126 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret. | |||||
| CVE-2021-22948 | 1 Revive-adserver | 1 Revive Adserver | 2024-11-21 | 4.3 MEDIUM | 7.1 HIGH |
| Vulnerability in the generation of session IDs in revive-adserver < 5.3.0, based on the cryptographically insecure uniqid() PHP function. Under some circumstances, an attacker could theoretically be able to brute force session IDs in order to take over a specific account. | |||||
| CVE-2021-0131 | 1 Intel | 219 Secl-dc, Xeon Bronze 3104, Xeon Bronze 3106 and 216 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Use of cryptographically weak pseudo-random number generator (PRNG) in an API for the Intel(R) Security Library before version 3.3 may allow an authenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2020-35926 | 1 Nanorand Project | 1 Nanorand | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the nanorand crate before 0.5.1 for Rust. It caused any random number generator (even ChaCha) to return all zeroes because integer truncation was mishandled. | |||||
| CVE-2020-28924 | 2 Fedoraproject, Rclone | 2 Fedora, Rclone | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed. | |||||
| CVE-2020-28642 | 1 Infinitewp | 1 Infinitewp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In InfiniteWP Admin Panel before 3.1.12.3, resetPasswordSendMail generates a weak password-reset code, which makes it easier for remote attackers to conduct admin Account Takeover attacks. | |||||
| CVE-2019-8113 | 1 Magento | 1 Magento | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration. | |||||
| CVE-2019-5440 | 1 Revive-adserver | 1 Revive Adserver | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Use of cryptographically weak PRNG in the password recovery token generation of Revive Adserver < v4.2.1 causes a potential authentication bypass attack if an attacker exploits the password recovery functionality. In lib/OA/Dal/PasswordRecovery.php, the function generateRecoveryId() generates a password reset token that relies on the PHP uniqid function and consequently depends only on the current server time, which is often visible in an HTTP Date header. | |||||
| CVE-2019-19794 | 1 Miekg-dns Project | 1 Miekg-dns | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries. | |||||
| CVE-2019-16303 | 1 Jhipster | 2 Jhipster, Jhipster Kotlin | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover. | |||||
| CVE-2019-15075 | 1 Inextrix | 1 Astpp | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in iNextrix ASTPP before 4.0.1. web_interface/astpp/application/config/config.php does not have strong random keys, as demonstrated by use of the 8YSDaBtDHAB3EQkxPAyTz2I5DttzA9uR private key and the r)fddEw232f encryption key. | |||||