CWE-330
DiscouragedUse of Insufficiently Random Values
Abstraction: Class · Status: Stable
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
445 vulnerabilities reference this CWE, most recent first.
CVE-2024-4185 (GCVE-0-2024-4185)
Vulnerability from cvelistv5 – Published: 2024-04-30 08:32 – Updated: 2026-04-08 17:31- CWE-330 - Use of Insufficiently Random Values
| Vendor | Product | Version | |
|---|---|---|---|
| wpcodefactory | Customer Email Verification for WooCommerce |
Affected:
0 , ≤ 2.7.4
(semver)
|
|
| wpfactory | customer_email_verification_for_woocommerce |
Affected:
0 , ≤ 2.7.4
(custom)
cpe:2.3:a:wpfactory:customer_email_verification_for_woocommerce:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpfactory:customer_email_verification_for_woocommerce:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "customer_email_verification_for_woocommerce",
"vendor": "wpfactory",
"versions": [
{
"lessThanOrEqual": "2.7.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4185",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T16:51:56.560610Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T20:06:07.808Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebae4b18-5b5f-45c3-86e2-02eefd7abdb7?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.7.4/includes/alg-wc-ev-functions.php#L299"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.7.4/includes/class-alg-wc-ev-core.php#L731"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3078804/emails-verification-for-woocommerce#file2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Customer Email Verification for WooCommerce",
"vendor": "wpcodefactory",
"versions": [
{
"lessThanOrEqual": "2.7.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Email Verification and Authentication Bypass in all versions up to, and including, 2.7.4 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification, and if both the \"Login the user automatically after the account is verified\" and \"Verify account for current users\" options are checked, then it potentially makes it possible for attackers to bypass authentication for other users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330 Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:31:15.707Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebae4b18-5b5f-45c3-86e2-02eefd7abdb7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.7.4/includes/alg-wc-ev-functions.php#L299"
},
{
"url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.7.4/includes/class-alg-wc-ev-core.php#L731"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3078804/emails-verification-for-woocommerce#file2"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-24T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-04-24T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-04-29T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Customer Email Verification for WooCommerce \u003c= 2.7.4 - Email Verification and Authentication Bypass due to Insufficient Randomness"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4185",
"datePublished": "2024-04-30T08:32:23.492Z",
"dateReserved": "2024-04-25T14:28:40.021Z",
"dateUpdated": "2026-04-08T17:31:15.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1631 (GCVE-0-2024-1631)
Vulnerability from cvelistv5 – Published: 2024-02-21 02:12 – Updated: 2024-08-16 14:55| Vendor | Product | Version | |
|---|---|---|---|
| Internet Computer | agent-js |
Affected:
v0.20.0-beta.0 , < v1.0.1
(1.0.1)
|
|
| dfinity | agent-js |
Affected:
v0.20.0-beta.0 , < v1.0.1
(custom)
cpe:2.3:a:dfinity:agent-js:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:20.675Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dfinity/agent-js/pull/851"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.npmjs.com/package/@dfinity/identity/v/1.0.1"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dfinity/agent-js"
},
{
"tags": [
"x_transferred"
],
"url": "https://agent-js.icp.xyz/identity/index.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dfinity/agent-js/security/advisories/GHSA-c9vv-fhgv-cjc3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dfinity:agent-js:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "agent-js",
"vendor": "dfinity",
"versions": [
{
"lessThan": "v1.0.1",
"status": "affected",
"version": "v0.20.0-beta.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1631",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T20:25:01.551447Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T14:55:17.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "agent-js",
"programFiles": [
"https://github.com/dfinity/agent-js/blob/main/packages/identity/src/identity/ed25519.ts"
],
"vendor": "Internet Computer",
"versions": [
{
"lessThan": "v1.0.1",
"status": "affected",
"version": "v0.20.0-beta.0",
"versionType": "1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the secret key using secure randomness. However, a recent change broke this guarantee and uses an insecure seed for key pair generation. Since the private key of this identity (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller. \u003cbr\u003e"
}
],
"value": "Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the secret key using secure randomness. However, a recent change broke this guarantee and uses an insecure seed for key pair generation. Since the private key of this identity (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller. \n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Broken access control"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321: Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T05:09:43.340Z",
"orgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"shortName": "Dfinity"
},
"references": [
{
"url": "https://github.com/dfinity/agent-js/pull/851"
},
{
"url": "https://www.npmjs.com/package/@dfinity/identity/v/1.0.1"
},
{
"url": "https://github.com/dfinity/agent-js"
},
{
"url": "https://agent-js.icp.xyz/identity/index.html"
},
{
"url": "https://github.com/dfinity/agent-js/security/advisories/GHSA-c9vv-fhgv-cjc3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "agent-js: Insecure Key Generation in `Ed25519KeyIdentity.generate`",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"assignerShortName": "Dfinity",
"cveId": "CVE-2024-1631",
"datePublished": "2024-02-21T02:12:38.403Z",
"dateReserved": "2024-02-19T15:58:47.713Z",
"dateUpdated": "2024-08-16T14:55:17.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0761 (GCVE-0-2024-0761)
Vulnerability from cvelistv5 – Published: 2024-02-05 21:21 – Updated: 2026-04-08 16:37- CWE-330 - Use of Insufficiently Random Values
| Vendor | Product | Version | |
|---|---|---|---|
| mndpsingh287 | File Manager |
Affected:
0 , ≤ 7.2.1
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:18:18.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1928f8e4-8bbe-4a3f-8284-aa12ca2f5176?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-file-manager/"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3023403/wp-file-manager/trunk/file_folder_manager.php?old=2984933\u0026old_path=wp-file-manager%2Ftrunk%2Ffile_folder_manager.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0761",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T18:06:32.772273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:29:25.417Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "File Manager",
"vendor": "mndpsingh287",
"versions": [
{
"lessThanOrEqual": "7.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yuki Haruma"
}
],
"descriptions": [
{
"lang": "en",
"value": "The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames, which use a timestamp plus 4 random digits. This makes it possible for unauthenticated attackers, to extract sensitive data including site backups in configurations where the .htaccess file in the directory does not block access."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330 Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:37:46.912Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1928f8e4-8bbe-4a3f-8284-aa12ca2f5176?source=cve"
},
{
"url": "https://wordpress.org/plugins/wp-file-manager/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3023403/wp-file-manager/trunk/file_folder_manager.php?old=2984933\u0026old_path=wp-file-manager%2Ftrunk%2Ffile_folder_manager.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-30T01:48:05.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-01-22T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "File Manager \u003c= 7.2.1 - Sensitive Information Exposure via Backup Filenames"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0761",
"datePublished": "2024-02-05T21:21:34.656Z",
"dateReserved": "2024-01-19T20:27:12.161Z",
"dateUpdated": "2026-04-08T16:37:46.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46740 (GCVE-0-2023-46740)
Vulnerability from cvelistv5 – Published: 2024-01-03 16:20 – Updated: 2025-06-17 20:29- CWE-330 - Use of Insufficiently Random Values
| URL | Tags |
|---|---|
| https://github.com/cubefs/cubefs/security/advisor… | x_refsource_CONFIRM |
| https://github.com/cubefs/cubefs/commit/8555c6402… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:20.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm"
},
{
"name": "https://github.com/cubefs/cubefs/commit/8555c6402794cabdf2cc025c8bea1576122c07ba",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cubefs/cubefs/commit/8555c6402794cabdf2cc025c8bea1576122c07ba"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-11T15:51:34.830602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:29:07.424Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cubefs",
"vendor": "cubefs",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the \u201caccessKey\u201d. To create the \"accesKey\", CubeFS uses an insecure string generator which makes it easy to guess and thereby impersonate the created user. An attacker could leverage the predictable random string generator and guess a users access key and impersonate the user to obtain higher privileges. The issue has been fixed in v3.3.1. There is no other mitigation than to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-03T16:20:18.619Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cubefs/cubefs/security/advisories/GHSA-4248-p65p-hcrm"
},
{
"name": "https://github.com/cubefs/cubefs/commit/8555c6402794cabdf2cc025c8bea1576122c07ba",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cubefs/cubefs/commit/8555c6402794cabdf2cc025c8bea1576122c07ba"
}
],
"source": {
"advisory": "GHSA-4248-p65p-hcrm",
"discovery": "UNKNOWN"
},
"title": "Insecure random string generator used for sensitive data"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46740",
"datePublished": "2024-01-03T16:20:18.619Z",
"dateReserved": "2023-10-25T14:30:33.753Z",
"dateUpdated": "2025-06-17T20:29:07.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41879 (GCVE-0-2023-41879)
Vulnerability from cvelistv5 – Published: 2023-09-11 21:14 – Updated: 2024-09-26 16:55- CWE-330 - Use of Insufficiently Random Values
| URL | Tags |
|---|---|
| https://github.com/OpenMage/magento-lts/security/… | x_refsource_CONFIRM |
| https://github.com/OpenMage/magento-lts/commit/2a… | x_refsource_MISC |
| https://github.com/OpenMage/magento-lts/commit/31… | x_refsource_MISC |
| https://github.com/OpenMage/magento-lts/releases/… | x_refsource_MISC |
| https://github.com/OpenMage/magento-lts/releases/… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| OpenMage | magento-lts |
Affected:
<= 19.5.0
Affected: >= 20.0.0, <= 20.1.0 |
|
| openmage | magento |
Affected:
0 , ≤ 19.5.0
(custom)
Affected: 20.0.0 , ≤ 20.1.0 (custom) cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.294Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp"
},
{
"name": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128"
},
{
"name": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877"
},
{
"name": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1"
},
{
"name": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:*"
],
"defaultStatus": "unknown",
"product": "magento",
"vendor": "openmage",
"versions": [
{
"lessThanOrEqual": "19.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "20.1.0",
"status": "affected",
"version": "20.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41879",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T16:53:59.562897Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T16:55:58.992Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "magento-lts",
"vendor": "OpenMage",
"versions": [
{
"status": "affected",
"version": "\u003c= 19.5.0"
},
{
"status": "affected",
"version": "\u003e= 20.0.0, \u003c= 20.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a \"guest-view\" cookie which contains the order\u0027s \"protect_code\". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-11T21:14:28.597Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp"
},
{
"name": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128"
},
{
"name": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877"
},
{
"name": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1"
},
{
"name": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1"
}
],
"source": {
"advisory": "GHSA-9358-cpvx-c2qp",
"discovery": "UNKNOWN"
},
"title": "Magento LTS\u0027s guest order \"protect code\" can be brute-forced too easily"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41879",
"datePublished": "2023-09-11T21:14:28.597Z",
"dateReserved": "2023-09-04T16:31:48.223Z",
"dateUpdated": "2024-09-26T16:55:58.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34353 (GCVE-0-2023-34353)
Vulnerability from cvelistv5 – Published: 2023-09-05 16:15 – Updated: 2025-02-13 16:55- CWE-330 - Use of Insufficiently Random Values
| Vendor | Product | Version | |
|---|---|---|---|
| Open Automation Software | OAS Platform |
Affected:
v18.00.0072
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:10:06.405Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1776",
"tags": [
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1776"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1776"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34353",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T19:52:03.949429Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T19:52:13.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OAS Platform",
"vendor": "Open Automation Software",
"versions": [
{
"status": "affected",
"version": "v18.00.0072"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by a member of Cisco Talos."
}
],
"descriptions": [
{
"lang": "en",
"value": "An authentication bypass vulnerability exists in the OAS Engine authentication functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted network sniffing can lead to decryption of sensitive information. An attacker can sniff network traffic to trigger this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-05T16:15:13.191Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1776",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1776"
},
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1776"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2023-34353",
"datePublished": "2023-09-05T16:15:02.295Z",
"dateReserved": "2023-06-13T17:22:56.076Z",
"dateUpdated": "2025-02-13T16:55:30.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31147 (GCVE-0-2023-31147)
Vulnerability from cvelistv5 – Published: 2023-05-25 21:55 – Updated: 2025-02-13 16:49- CWE-330 - Use of Insufficiently Random Values
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.630Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2"
},
{
"name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202310-09"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T18:25:39.252161Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T18:25:47.351Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "c-ares",
"vendor": "c-ares",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-08T08:06:48.246Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2"
},
{
"name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
},
{
"url": "https://security.gentoo.org/glsa/202310-09"
}
],
"source": {
"advisory": "GHSA-8r8p-23f3-64c2",
"discovery": "UNKNOWN"
},
"title": "Insufficient randomness in generation of DNS query IDs in c-ares"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-31147",
"datePublished": "2023-05-25T21:55:47.585Z",
"dateReserved": "2023-04-24T21:44:10.418Z",
"dateUpdated": "2025-02-13T16:49:46.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31124 (GCVE-0-2023-31124)
Vulnerability from cvelistv5 – Published: 2023-05-25 21:09 – Updated: 2025-02-13 16:49- CWE-330 - Use of Insufficiently Random Values
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.746Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4"
},
{
"name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202310-09"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31124",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T18:36:12.341822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T18:36:25.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "c-ares",
"vendor": "c-ares",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-08T08:06:46.531Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4"
},
{
"name": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"
},
{
"url": "https://security.gentoo.org/glsa/202310-09"
}
],
"source": {
"advisory": "GHSA-54xr-f67r-4pc4",
"discovery": "UNKNOWN"
},
"title": "AutoTools does not set CARES_RANDOM_FILE during cross compilation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-31124",
"datePublished": "2023-05-25T21:09:31.881Z",
"dateReserved": "2023-04-24T21:44:10.415Z",
"dateUpdated": "2025-02-13T16:49:43.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30797 (GCVE-0-2023-30797)
Vulnerability from cvelistv5 – Published: 2023-04-19 19:10 – Updated: 2026-07-15 01:24- CWE-330 - Use of Insufficiently Random Values
| URL | Tags |
|---|---|
| https://github.com/Netflix/security-bulletins/blo… | vendor-advisory |
| https://github.com/Netflix/lemur/commit/666d85321… | patch |
| https://github.com/Netflix/lemur/security/advisor… | vendor-advisory |
| https://vulncheck.com/advisories/netflix-lemur-weak-rng | third-party-advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:37:15.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-30797",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T14:49:23.482600Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330 Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T14:50:36.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/lemur/",
"defaultStatus": "unaffected",
"packageName": "lemur",
"packageURL": "pkg:pypi/lemur",
"product": "Lemur",
"repo": "https://github.com/Netflix/lemur",
"vendor": "Netflix",
"versions": [
{
"lessThan": "1.3.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netflix:lemur:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.3.2",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"datePublic": "2023-02-28T15:41:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur."
}
],
"impacts": [
{
"capecId": "CAPEC-112",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-112 Brute Force"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330 Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T01:24:50.449Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
},
{
"tags": [
"patch"
],
"url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insecure Random Generation in Netflix Lemur",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-30797",
"datePublished": "2023-04-19T19:10:12.523Z",
"dateReserved": "2023-04-18T10:31:45.962Z",
"dateUpdated": "2026-07-15T01:24:50.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-29332 (GCVE-0-2023-29332)
Vulnerability from cvelistv5 – Published: 2023-09-12 16:58 – Updated: 2025-10-30 18:17- CWE-330 - Use of Insufficiently Random Values
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Azure Kubernetes Service |
Affected:
1.0 , < VHD 202308
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:45.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29332"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29332",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-26T21:50:20.635220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T20:54:08.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Unknown"
],
"product": "Azure Kubernetes Service",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "VHD 202308",
"status": "affected",
"version": "1.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:azure_kubernetes_service:*:*:*:*:*:*:*:*",
"versionEndExcluding": "VHD 202308",
"versionStartIncluding": "1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2023-09-12T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T18:17:39.232Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29332"
}
],
"title": "Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2023-29332",
"datePublished": "2023-09-12T16:58:34.444Z",
"dateReserved": "2023-04-04T22:34:18.379Z",
"dateUpdated": "2025-10-30T18:17:39.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds.
- In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
- Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.
Mitigation
Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.
Mitigation MIT-2
Strategy: Libraries or Frameworks
Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-485: Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.