Common Weakness Enumeration

CWE-330

Discouraged

Use of Insufficiently Random Values

Abstraction: Class · Status: Stable

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

445 vulnerabilities reference this CWE, most recent first.

GHSA-V2R2-7QM7-JJ6V

Vulnerability from github – Published: 2019-04-16 15:10 – Updated: 2022-11-17 19:45
VLAI
Summary
Spring Security uses insufficiently random values
Details

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.security:spring-security-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.security:spring-security-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.security:spring-security-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.1.0"
            },
            {
              "fixed": "5.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-3795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:56:26Z",
    "nvd_published_at": "2019-04-09T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.",
  "id": "GHSA-v2r2-7qm7-jj6v",
  "modified": "2022-11-17T19:45:44Z",
  "published": "2019-04-16T15:10:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3795"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-v2r2-7qm7-jj6v"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00026.html"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2019-3795"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107802"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spring Security uses insufficiently random values"
}

GHSA-V589-JQPW-96MW

Vulnerability from github – Published: 2023-03-31 18:30 – Updated: 2023-04-07 18:30
VLAI
Details

Akuvox E11 contains a function that encrypts messages which are then forwarded. The IV vector and the key are static, and this may allow an attacker to decrypt messages.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0343"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-31T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Akuvox E11 contains a function that encrypts messages which are then forwarded. The IV vector and the key are static, and this may allow an attacker to decrypt messages.",
  "id": "GHSA-v589-jqpw-96mw",
  "modified": "2023-04-07T18:30:50Z",
  "published": "2023-03-31T18:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0343"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-068-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6RC-95XW-8XP5

Vulnerability from github – Published: 2026-07-05 03:32 – Updated: 2026-07-06 15:30
VLAI
Details

Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery.

"Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values."

An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack.

Keys used to sign with an affected version should be considered compromised and new keys should be generated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14570"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-05T02:17:40Z",
    "severity": "HIGH"
  },
  "details": "Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery.\n\n\"Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values.\"\n\nAn attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack.\n\nKeys used to sign with an affected version should be considered compromised and new keys should be generated.",
  "id": "GHSA-v6rc-95xw-8xp5",
  "modified": "2026-07-06T15:30:46Z",
  "published": "2026-07-05T03:32:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14570"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.21/source/lib/Crypt/DSA/Util.pm#L56"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.22/changes"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.22/diff/TIMLEGGE/Crypt-DSA-1.21#lib/Crypt/DSA/Util.pm"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/07/05/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6WR-FCH2-VM5W

Vulnerability from github – Published: 2018-10-18 17:41 – Updated: 2023-09-12 14:43
VLAI
Summary
OrientDB Server Community Edition uses insufficiently random values to generate session IDs
Details

OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 improperly relies on the java.util.Random class for generation of random Session ID values in the server/network/protocol/http/OHttpSessionManager.java, which makes it easier for remote attackers to predict a value by determining the internal state of the PRNG in this class.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.orientechnologies:orientdb-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.orientechnologies:orientdb-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.1.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2015-2913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:57:02Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 improperly relies on the `java.util.Random` class for generation of random Session ID values in the `server/network/protocol/http/OHttpSessionManager.java`, which makes it easier for remote attackers to predict a value by determining the internal state of the PRNG in this class.",
  "id": "GHSA-v6wr-fch2-vm5w",
  "modified": "2023-09-12T14:43:49Z",
  "published": "2018-10-18T17:41:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2913"
    },
    {
      "type": "WEB",
      "url": "https://github.com/orientechnologies/orientdb/commit/668ece96be210e742a4e2820a3085b215cf55104"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-v6wr-fch2-vm5w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/orientechnologies/orientdb"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/845332"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OrientDB Server Community Edition uses insufficiently random values to generate session IDs"
}

GHSA-V7PR-9GFG-7HPC

Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2023-07-11 15:31
VLAI
Details

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26306"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-25T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "LibreOffice supports the storage of passwords for web connections in the user\u2019s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user\u0027s configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.",
  "id": "GHSA-v7pr-9gfg-7hpc",
  "modified": "2023-07-11T15:31:08Z",
  "published": "2022-07-26T00:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26306"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/08/13/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V9GV-XP36-JGJ8

Vulnerability from github – Published: 2026-06-30 16:15 – Updated: 2026-06-30 16:15
VLAI
Summary
RabbitMQ has predictable credential obfuscation seed value used in Shovel and Federation plugins
Details

Impact

Shovel and Federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret.

This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log.

Patched versions correctly use a cluster-wide secret for that purpose.

Patches

Patched versions:

  • 3.10.2
  • 3.9.18
  • 3.8.32

Workarounds

Disable Shovel and Federation plugins.

Credits

RabbitMQ core team would like to thank Lajos @luos Gerecs and Anh Nguyen from Erlang Solutions for responsibly disclosing and working with us on a patch for this vulnerability.

For more information

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "rabbit_common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10.0"
            },
            {
              "fixed": "3.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Hex",
        "name": "rabbit_common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9.0"
            },
            {
              "fixed": "3.9.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Hex",
        "name": "rabbit_common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.8.0"
            },
            {
              "fixed": "3.8.32"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330",
      "CWE-335"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-30T16:15:48Z",
    "nvd_published_at": "2022-10-06T18:16:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nShovel and Federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt\nthe URI was seeded with a predictable secret.\n\nThis means that in case of certain exceptions related to Shovel and Federation plugins,\nreasonably easily deobfuscatable data could appear in the node log.\n\nPatched versions correctly use a cluster-wide secret for that purpose.\n\n### Patches\n\nPatched versions:\n\n * `3.10.2`\n * `3.9.18`\n * `3.8.32`\n\n### Workarounds\n\nDisable Shovel and Federation plugins.\n\n### Credits\n\nRabbitMQ core team would like to thank Lajos @luos Gerecs and Anh Nguyen from Erlang Solutions\nfor responsibly disclosing and working with us on a patch for this vulnerability.\n\n### For more information\n\n * [Mailing list](https://groups.google.com/forum/#!forum/rabbitmq-users)\n * [Community Slack](https://rabbitmq-slack.herokuapp.com/)",
  "id": "GHSA-v9gv-xp36-jgj8",
  "modified": "2026-06-30T16:15:48Z",
  "published": "2026-06-30T16:15:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31008"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rabbitmq/rabbitmq-server/pull/4841"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rabbitmq/rabbitmq-server/commit/c22e1cb20e656d211e025c417d1fc75a9067b717"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rabbitmq/rabbitmq-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RabbitMQ has predictable credential obfuscation seed value used in Shovel and Federation plugins"
}

GHSA-VCWC-JG96-FG4R

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44
VLAI
Details

In onPackageModified of VoiceInteractionManagerService.java, there is a possible change of default applications due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-167261484

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0375"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-10T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In onPackageModified of VoiceInteractionManagerService.java, there is a possible change of default applications due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-167261484",
  "id": "GHSA-vcwc-jg96-fg4r",
  "modified": "2022-05-24T17:44:06Z",
  "published": "2022-05-24T17:44:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0375"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2021-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VFGX-5Q85-58Q3

Vulnerability from github – Published: 2026-03-31 23:43 – Updated: 2026-03-31 23:43
VLAI
Summary
openssl-encrypt has non-cryptographic PRNG used for steganography pixel selection
Details

Summary

The generate_pseudorandom_sequence() function in openssl_encrypt/plugins/steganography/core/utils.py at lines 89-91 uses Python's random module (Mersenne Twister) for steganographic pixel/sample selection.

Affected Code

random.seed(seed)
sequence = random.sample(range(max_value), min(length, max_value))
return sequence

Additionally, the steganography password is stored as a plain Python string (not SecureBytes) and only 8 bytes (64 bits) of the SHA-256 hash are used for the seed, reducing effective security to 64 bits.

Impact

The Mersenne Twister's state can be recovered from approximately 624 outputs. An attacker who knows or guesses the password can predict the PRNG sequence and determine exactly which pixels contain hidden data, potentially extracting the hidden data without the password.

Recommended Fix

  • Use HMAC-DRBG or secrets module for cryptographically secure pixel selection
  • Use full 32-byte SHA-256 output as seed material
  • Store the password in SecureBytes instead of a plain string

Fix

Fixed in commit 09e96e0 on branch releases/1.4.x — replaced random.seed(hash(password)) with HMAC-SHA256 based CSPRNG (Fisher-Yates shuffle) and numpy Generator with HMAC-derived seeds across all steganography format modules.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "openssl-encrypt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:43:06Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `generate_pseudorandom_sequence()` function in `openssl_encrypt/plugins/steganography/core/utils.py` at **lines 89-91** uses Python\u0027s `random` module (Mersenne Twister) for steganographic pixel/sample selection.\n\n### Affected Code\n\n```python\nrandom.seed(seed)\nsequence = random.sample(range(max_value), min(length, max_value))\nreturn sequence\n```\n\nAdditionally, the steganography password is stored as a plain Python string (not `SecureBytes`) and only 8 bytes (64 bits) of the SHA-256 hash are used for the seed, reducing effective security to 64 bits.\n\n### Impact\n\nThe Mersenne Twister\u0027s state can be recovered from approximately 624 outputs. An attacker who knows or guesses the password can predict the PRNG sequence and determine exactly which pixels contain hidden data, potentially extracting the hidden data without the password.\n\n### Recommended Fix\n\n- Use HMAC-DRBG or `secrets` module for cryptographically secure pixel selection\n- Use full 32-byte SHA-256 output as seed material\n- Store the password in `SecureBytes` instead of a plain string\n\n### Fix\n\nFixed in commit `09e96e0` on branch `releases/1.4.x` \u2014 replaced random.seed(hash(password)) with HMAC-SHA256 based CSPRNG (Fisher-Yates shuffle) and numpy Generator with HMAC-derived seeds across all steganography format modules.",
  "id": "GHSA-vfgx-5q85-58q3",
  "modified": "2026-03-31T23:43:06Z",
  "published": "2026-03-31T23:43:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-vfgx-5q85-58q3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jahlives/openssl_encrypt/commit/09e96e090417d34d2f533f6810d3cd4f77810101"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jahlives/openssl_encrypt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "openssl-encrypt has non-cryptographic PRNG used for steganography pixel selection"
}

GHSA-VGH3-QFVH-CW6Q

Vulnerability from github – Published: 2022-05-17 03:15 – Updated: 2022-05-17 03:15
VLAI
Details

Johnson & Johnson Animas OneTouch Ping devices do not properly generate random numbers, which makes it easier for remote attackers to spoof meters by sniffing the network and then engaging in an authentication handshake.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5085"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-10-05T10:59:00Z",
    "severity": "HIGH"
  },
  "details": "Johnson \u0026 Johnson Animas OneTouch Ping devices do not properly generate random numbers, which makes it easier for remote attackers to spoof meters by sniffing the network and then engaging in an authentication handshake.",
  "id": "GHSA-vgh3-qfvh-cw6q",
  "modified": "2022-05-17T03:15:21Z",
  "published": "2022-05-17T03:15:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5085"
    },
    {
      "type": "WEB",
      "url": "https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-16-279-01"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/884840"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/BLUU-A9SQRS"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/93351"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VGMM-R7WP-GMV8

Vulnerability from github – Published: 2022-03-15 00:00 – Updated: 2024-10-07 18:31
VLAI
Details

The Rambus SafeZone Basic Crypto Module, as used in certain Fujifilm (formerly Fuji Xerox) devices before 2022-03-01 and potentially many other devices, generates RSA keys that can be broken with Fermat's factorization method. This allows efficient calculation of private RSA keys from the public key of a TLS certificate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-14T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Rambus SafeZone Basic Crypto Module, as used in certain Fujifilm (formerly Fuji Xerox) devices before 2022-03-01 and potentially many other devices, generates RSA keys that can be broken with Fermat\u0027s factorization method. This allows efficient calculation of private RSA keys from the public key of a TLS certificate.",
  "id": "GHSA-vgmm-r7wp-gmv8",
  "modified": "2024-10-07T18:31:00Z",
  "published": "2022-03-15T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26320"
    },
    {
      "type": "WEB",
      "url": "https://fermatattack.secvuln.info"
    },
    {
      "type": "WEB",
      "url": "https://global.canon/en/support/security/index.html"
    },
    {
      "type": "WEB",
      "url": "https://safezoneswupdate.com"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20220922042721/https://safezoneswupdate.com"
    },
    {
      "type": "WEB",
      "url": "https://www.fujifilm.com/fbglobal/eng/company/news/notice/2022/0302_rsakey_announce.html"
    },
    {
      "type": "WEB",
      "url": "https://www.rambus.com/security/response-center/advisories/rmbs-2021-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds.
  • In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
  • Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.
Mitigation
Implementation

Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.

Mitigation MIT-2
Architecture and Design Requirements

Strategy: Libraries or Frameworks

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-485: Signature Spoofing by Key Recreation

An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.