CWE-331
AllowedInsufficient Entropy
Abstraction: Base · Status: Draft
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
207 vulnerabilities reference this CWE, most recent first.
GHSA-5VFX-VPJ9-7JVR
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not utilize sufficiently random number generation for the web interface authentication mechanism, which could allow remote code execution.
{
"affected": [],
"aliases": [
"CVE-2017-13992"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-05T21:29:00Z",
"severity": "HIGH"
},
"details": "An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not utilize sufficiently random number generation for the web interface authentication mechanism, which could allow remote code execution.",
"id": "GHSA-5vfx-vpj9-7jvr",
"modified": "2022-05-13T01:37:43Z",
"published": "2022-05-13T01:37:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13992"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-257-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100847"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-63M6-FQGG-RV45
Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2023-08-31 03:30It's possible that an authenticated user guess other session IDs based on its own. Also it's possible to guess a password reset token or an automated password generated. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2020-1773"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-27T13:15:00Z",
"severity": "MODERATE"
},
"details": "It\u0027s possible that an authenticated user guess other session IDs based on its own. Also it\u0027s possible to guess a password reset token or an automated password generated. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions.",
"id": "GHSA-63m6-fqgg-rv45",
"modified": "2023-08-31T03:30:36Z",
"published": "2022-05-24T17:12:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1773"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
},
{
"type": "WEB",
"url": "https://otrs.com/release-notes/otrs-security-advisory-2020-10"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-64QF-4R7V-W6J5
Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2022-11-21 15:30A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to access sensitive information. This vulnerability is due to missing authorization for certain resources in the web-based management interface together with insufficient entropy in these resource names. An attacker could exploit this vulnerability by sending a series of HTTPS requests to an affected device to enumerate resources on the device. A successful exploit could allow the attacker to retrieve sensitive information from the device.
{
"affected": [],
"aliases": [
"CVE-2022-20941"
],
"database_specific": {
"cwe_ids": [
"CWE-330",
"CWE-331",
"CWE-334"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-15T21:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to access sensitive information. This vulnerability is due to missing authorization for certain resources in the web-based management interface together with insufficient entropy in these resource names. An attacker could exploit this vulnerability by sending a series of HTTPS requests to an affected device to enumerate resources on the device. A successful exploit could allow the attacker to retrieve sensitive information from the device.",
"id": "GHSA-64qf-4r7v-w6j5",
"modified": "2022-11-21T15:30:21Z",
"published": "2022-11-16T12:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20941"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-info-disc-UghNRRhP"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-info-disc-UghNRRhP"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6CPX-55PW-9CXQ
Vulnerability from github – Published: 2025-03-24 21:30 – Updated: 2025-03-26 15:32Limited secret space in LLDP packets used in onos v2.7.0 allows attackers to obtain the private key via a bruteforce attack. Attackers are able to leverage this vulnerability into creating crafted LLDP packets.
{
"affected": [],
"aliases": [
"CVE-2025-29311"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-24T21:15:18Z",
"severity": "HIGH"
},
"details": "Limited secret space in LLDP packets used in onos v2.7.0 allows attackers to obtain the private key via a bruteforce attack. Attackers are able to leverage this vulnerability into creating crafted LLDP packets.",
"id": "GHSA-6cpx-55pw-9cxq",
"modified": "2025-03-26T15:32:36Z",
"published": "2025-03-24T21:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29311"
},
{
"type": "WEB",
"url": "https://gist.github.com/Saber-Berserker/790f2a75ae482df3fd0fce569f30504a;"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6CR3-M628-79PX
Vulnerability from github – Published: 2026-05-15 15:30 – Updated: 2026-05-15 15:30- Countermeasures for DPA within SYMCRYPTO engine on SixG301xxx devices are not sufficiently random and will eventually repeat.
- KSU keys using SYMCRYPTO will be impacted by this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-14972"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-15T15:16:49Z",
"severity": "MODERATE"
},
"details": "* Countermeasures for DPA within SYMCRYPTO\nengine on SixG301xxx devices are not sufficiently random and will\neventually repeat.\n * KSU keys using SYMCRYPTO will be\nimpacted by this vulnerability.",
"id": "GHSA-6cr3-m628-79px",
"modified": "2026-05-15T15:30:45Z",
"published": "2026-05-15T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14972"
},
{
"type": "WEB",
"url": "https://community.silabs.com/068Vm00000M3cAX"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6GMW-8X48-Q8WW
Vulnerability from github – Published: 2024-04-05 09:30 – Updated: 2024-11-14 21:31Chilkat before v9.5.0.98, allows attackers to obtain sensitive information via predictable PRNG in ChilkatRand::randomBytes function.
{
"affected": [],
"aliases": [
"CVE-2024-26329"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-05T07:15:10Z",
"severity": "MODERATE"
},
"details": "Chilkat before v9.5.0.98, allows attackers to obtain sensitive information via predictable PRNG in ChilkatRand::randomBytes function.",
"id": "GHSA-6gmw-8x48-q8ww",
"modified": "2024-11-14T21:31:57Z",
"published": "2024-04-05T09:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26329"
},
{
"type": "WEB",
"url": "https://x41-dsec.de/lab/advisories/x41-2024-001-chilkat-prng"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7CCR-FW66-P8JJ
Vulnerability from github – Published: 2026-06-25 21:31 – Updated: 2026-06-25 21:31SYMCRYPTO is the SiXG301's host side hardware engine accessed by PSA crypto library that accelerates symmetric cryptographic operations (AES encryption/decryption and hashing).
DPA Countermeasures on SYMCRYPTO can be weakened (reduced entropy) by forcing certain seed values if an attacker gains code execution capability on the impacted device.
- Therefore, the keys loaded on SYMCRYPTO may be more vulnerable to extraction through DPA attacks than intended
{
"affected": [],
"aliases": [
"CVE-2026-4930"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T19:16:39Z",
"severity": "HIGH"
},
"details": "SYMCRYPTO is the SiXG301\u0027s host side hardware engine accessed by PSA crypto library that accelerates symmetric cryptographic operations (AES encryption/decryption and hashing).\n\n\nDPA Countermeasures on SYMCRYPTO can be weakened (reduced entropy) by forcing certain seed values if an attacker gains code execution capability on the impacted device.\n\n * Therefore, the keys loaded on SYMCRYPTO may be more vulnerable to extraction through DPA attacks than intended",
"id": "GHSA-7ccr-fw66-p8jj",
"modified": "2026-06-25T21:31:29Z",
"published": "2026-06-25T21:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4930"
},
{
"type": "WEB",
"url": "https://community.silabs.com/068Vm00000sjHs3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7G24-QG88-P43Q
Vulnerability from github – Published: 2023-10-25 18:32 – Updated: 2023-11-01 05:54jose4j before v0.9.3 allows attackers to set a low PBES2 iteration count of 1000 or less.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.bitbucket.b_c:jose4j"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-31582"
],
"database_specific": {
"cwe_ids": [
"CWE-327",
"CWE-331"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-27T19:13:19Z",
"nvd_published_at": "2023-10-25T18:17:27Z",
"severity": "HIGH"
},
"details": "jose4j before v0.9.3 allows attackers to set a low PBES2 iteration count of 1000 or less.",
"id": "GHSA-7g24-qg88-p43q",
"modified": "2023-11-01T05:54:15Z",
"published": "2023-10-25T18:32:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31582"
},
{
"type": "PACKAGE",
"url": "https://bitbucket.org/b_c/jose4j"
},
{
"type": "WEB",
"url": "https://bitbucket.org/b_c/jose4j/commits/1929fe3"
},
{
"type": "WEB",
"url": "https://bitbucket.org/b_c/jose4j/issues/203/insecure-support-of-setting-pbe-less-then"
},
{
"type": "WEB",
"url": "https://github.com/KANIXB/JWTIssues/blob/main/jose4j%20issue.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "jose4j uses weak cryptographic algorithm"
}
GHSA-7QHW-4FCQ-2G37
Vulnerability from github – Published: 2026-02-18 21:31 – Updated: 2026-02-18 21:31An insufficient entropy vulnerability was found in glibc. The getrandom and arc4random family of functions may return predictable randomness if these functions are called again after the fork, which happens concurrently with a call to any of these functions.
{
"affected": [],
"aliases": [
"CVE-2025-0577"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-18T21:16:20Z",
"severity": "MODERATE"
},
"details": "An insufficient entropy vulnerability was found in glibc. The getrandom and arc4random family of functions may return predictable randomness if these functions are called again after the fork, which happens concurrently with a call to any of these functions.",
"id": "GHSA-7qhw-4fcq-2g37",
"modified": "2026-02-18T21:31:23Z",
"published": "2026-02-18T21:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0577"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-0577"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2338871"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7R3H-69G8-3VQV
Vulnerability from github – Published: 2025-10-22 06:31 – Updated: 2025-10-22 06:31On Mercku M6a devices through 2.1.0, the authentication system uses predictable session tokens based on timestamps.
{
"affected": [],
"aliases": [
"CVE-2025-62774"
],
"database_specific": {
"cwe_ids": [
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-22T04:16:09Z",
"severity": "LOW"
},
"details": "On Mercku M6a devices through 2.1.0, the authentication system uses predictable session tokens based on timestamps.",
"id": "GHSA-7r3h-69g8-3vqv",
"modified": "2025-10-22T06:31:11Z",
"published": "2025-10-22T06:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62774"
},
{
"type": "WEB",
"url": "https://blog.nullvoid.me/posts/mercku-exploits"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2025/Oct/10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.