Common Weakness Enumeration

CWE-331

Allowed

Insufficient Entropy

Abstraction: Base · Status: Draft

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

207 vulnerabilities reference this CWE, most recent first.

GHSA-5VFX-VPJ9-7JVR

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not utilize sufficiently random number generation for the web interface authentication mechanism, which could allow remote code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-13992"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-05T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not utilize sufficiently random number generation for the web interface authentication mechanism, which could allow remote code execution.",
  "id": "GHSA-5vfx-vpj9-7jvr",
  "modified": "2022-05-13T01:37:43Z",
  "published": "2022-05-13T01:37:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13992"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-257-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100847"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-63M6-FQGG-RV45

Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2023-08-31 03:30
VLAI
Details

It's possible that an authenticated user guess other session IDs based on its own. Also it's possible to guess a password reset token or an automated password generated. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1773"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-27T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "It\u0027s possible that an authenticated user guess other session IDs based on its own. Also it\u0027s possible to guess a password reset token or an automated password generated. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions.",
  "id": "GHSA-63m6-fqgg-rv45",
  "modified": "2023-08-31T03:30:36Z",
  "published": "2022-05-24T17:12:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1773"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
    },
    {
      "type": "WEB",
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2020-10"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-64QF-4R7V-W6J5

Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2022-11-21 15:30
VLAI
Details

A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to access sensitive information. This vulnerability is due to missing authorization for certain resources in the web-based management interface together with insufficient entropy in these resource names. An attacker could exploit this vulnerability by sending a series of HTTPS requests to an affected device to enumerate resources on the device. A successful exploit could allow the attacker to retrieve sensitive information from the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330",
      "CWE-331",
      "CWE-334"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-15T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to access sensitive information. This vulnerability is due to missing authorization for certain resources in the web-based management interface together with insufficient entropy in these resource names. An attacker could exploit this vulnerability by sending a series of HTTPS requests to an affected device to enumerate resources on the device. A successful exploit could allow the attacker to retrieve sensitive information from the device.",
  "id": "GHSA-64qf-4r7v-w6j5",
  "modified": "2022-11-21T15:30:21Z",
  "published": "2022-11-16T12:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20941"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-info-disc-UghNRRhP"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-info-disc-UghNRRhP"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6CPX-55PW-9CXQ

Vulnerability from github – Published: 2025-03-24 21:30 – Updated: 2025-03-26 15:32
VLAI
Details

Limited secret space in LLDP packets used in onos v2.7.0 allows attackers to obtain the private key via a bruteforce attack. Attackers are able to leverage this vulnerability into creating crafted LLDP packets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-24T21:15:18Z",
    "severity": "HIGH"
  },
  "details": "Limited secret space in LLDP packets used in onos v2.7.0 allows attackers to obtain the private key via a bruteforce attack. Attackers are able to leverage this vulnerability into creating crafted LLDP packets.",
  "id": "GHSA-6cpx-55pw-9cxq",
  "modified": "2025-03-26T15:32:36Z",
  "published": "2025-03-24T21:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29311"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Saber-Berserker/790f2a75ae482df3fd0fce569f30504a;"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6CR3-M628-79PX

Vulnerability from github – Published: 2026-05-15 15:30 – Updated: 2026-05-15 15:30
VLAI
Details
  • Countermeasures for DPA within SYMCRYPTO engine on SixG301xxx devices are not sufficiently random and will eventually repeat.
  • KSU keys using SYMCRYPTO will be impacted by this vulnerability.
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14972"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-15T15:16:49Z",
    "severity": "MODERATE"
  },
  "details": "*  Countermeasures for DPA within SYMCRYPTO\nengine on SixG301xxx devices are not sufficiently random and will\neventually repeat.\n  *  KSU keys using SYMCRYPTO will be\nimpacted by this vulnerability.",
  "id": "GHSA-6cr3-m628-79px",
  "modified": "2026-05-15T15:30:45Z",
  "published": "2026-05-15T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14972"
    },
    {
      "type": "WEB",
      "url": "https://community.silabs.com/068Vm00000M3cAX"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6GMW-8X48-Q8WW

Vulnerability from github – Published: 2024-04-05 09:30 – Updated: 2024-11-14 21:31
VLAI
Details

Chilkat before v9.5.0.98, allows attackers to obtain sensitive information via predictable PRNG in ChilkatRand::randomBytes function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26329"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-05T07:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Chilkat before v9.5.0.98, allows attackers to obtain sensitive information via predictable PRNG in ChilkatRand::randomBytes function.",
  "id": "GHSA-6gmw-8x48-q8ww",
  "modified": "2024-11-14T21:31:57Z",
  "published": "2024-04-05T09:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26329"
    },
    {
      "type": "WEB",
      "url": "https://x41-dsec.de/lab/advisories/x41-2024-001-chilkat-prng"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7CCR-FW66-P8JJ

Vulnerability from github – Published: 2026-06-25 21:31 – Updated: 2026-06-25 21:31
VLAI
Details

SYMCRYPTO is the SiXG301's host side hardware engine accessed by PSA crypto library that accelerates symmetric cryptographic operations (AES encryption/decryption and hashing).

DPA Countermeasures on SYMCRYPTO can be weakened (reduced entropy) by forcing certain seed values if an attacker gains code execution capability on the impacted device.

  • Therefore, the keys loaded on SYMCRYPTO may be more vulnerable to extraction through DPA attacks than intended
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4930"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T19:16:39Z",
    "severity": "HIGH"
  },
  "details": "SYMCRYPTO is the SiXG301\u0027s host side hardware engine accessed by PSA crypto library that accelerates symmetric cryptographic operations (AES encryption/decryption and hashing).\n\n\nDPA Countermeasures on SYMCRYPTO can be weakened (reduced entropy) by forcing certain seed values if an attacker gains code execution capability on the impacted device.\n\n  *  Therefore, the keys loaded on SYMCRYPTO may be more vulnerable to extraction through DPA attacks than intended",
  "id": "GHSA-7ccr-fw66-p8jj",
  "modified": "2026-06-25T21:31:29Z",
  "published": "2026-06-25T21:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4930"
    },
    {
      "type": "WEB",
      "url": "https://community.silabs.com/068Vm00000sjHs3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7G24-QG88-P43Q

Vulnerability from github – Published: 2023-10-25 18:32 – Updated: 2023-11-01 05:54
VLAI
Summary
jose4j uses weak cryptographic algorithm
Details

jose4j before v0.9.3 allows attackers to set a low PBES2 iteration count of 1000 or less.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bitbucket.b_c:jose4j"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-31582"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327",
      "CWE-331"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-27T19:13:19Z",
    "nvd_published_at": "2023-10-25T18:17:27Z",
    "severity": "HIGH"
  },
  "details": "jose4j before v0.9.3 allows attackers to set a low PBES2 iteration count of 1000 or less.",
  "id": "GHSA-7g24-qg88-p43q",
  "modified": "2023-11-01T05:54:15Z",
  "published": "2023-10-25T18:32:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31582"
    },
    {
      "type": "PACKAGE",
      "url": "https://bitbucket.org/b_c/jose4j"
    },
    {
      "type": "WEB",
      "url": "https://bitbucket.org/b_c/jose4j/commits/1929fe3"
    },
    {
      "type": "WEB",
      "url": "https://bitbucket.org/b_c/jose4j/issues/203/insecure-support-of-setting-pbe-less-then"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KANIXB/JWTIssues/blob/main/jose4j%20issue.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "jose4j uses weak cryptographic algorithm"
}

GHSA-7QHW-4FCQ-2G37

Vulnerability from github – Published: 2026-02-18 21:31 – Updated: 2026-02-18 21:31
VLAI
Details

An insufficient entropy vulnerability was found in glibc. The getrandom and arc4random family of functions may return predictable randomness if these functions are called again after the fork, which happens concurrently with a call to any of these functions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-18T21:16:20Z",
    "severity": "MODERATE"
  },
  "details": "An insufficient entropy vulnerability was found in glibc. The getrandom and arc4random family of functions may return predictable randomness if these functions are called again after the fork, which happens concurrently with a call to any of these functions.",
  "id": "GHSA-7qhw-4fcq-2g37",
  "modified": "2026-02-18T21:31:23Z",
  "published": "2026-02-18T21:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0577"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-0577"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2338871"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7R3H-69G8-3VQV

Vulnerability from github – Published: 2025-10-22 06:31 – Updated: 2025-10-22 06:31
VLAI
Details

On Mercku M6a devices through 2.1.0, the authentication system uses predictable session tokens based on timestamps.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-62774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T04:16:09Z",
    "severity": "LOW"
  },
  "details": "On Mercku M6a devices through 2.1.0, the authentication system uses predictable session tokens based on timestamps.",
  "id": "GHSA-7r3h-69g8-3vqv",
  "modified": "2025-10-22T06:31:11Z",
  "published": "2025-10-22T06:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62774"
    },
    {
      "type": "WEB",
      "url": "https://blog.nullvoid.me/posts/mercku-exploits"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2025/Oct/10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.