CWE-335
AllowedIncorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Abstraction: Base · Status: Draft
The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.
53 vulnerabilities reference this CWE, most recent first.
GHSA-5J8H-3WVC-37WP
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2024-04-04 02:51D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.
{
"affected": [],
"aliases": [
"CVE-2020-13784"
],
"database_specific": {
"cwe_ids": [
"CWE-335",
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-03T17:15:00Z",
"severity": "HIGH"
},
"details": "D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.",
"id": "GHSA-5j8h-3wvc-37wp",
"modified": "2024-04-04T02:51:16Z",
"published": "2022-05-24T17:19:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13784"
},
{
"type": "WEB",
"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10174"
},
{
"type": "WEB",
"url": "https://unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-home-routers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6CV6-HF8Q-PXX2
Vulnerability from github – Published: 2024-04-29 15:30 – Updated: 2024-04-29 15:30Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Secomea GateManager (Webserver modules) allows Session Hijacking.This issue affects GateManager: before 11.2.624071020.
{
"affected": [],
"aliases": [
"CVE-2024-1579"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-29T14:15:08Z",
"severity": "HIGH"
},
"details": "Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Secomea GateManager (Webserver modules) allows Session Hijacking.This issue affects GateManager: before 11.2.624071020.\n\n",
"id": "GHSA-6cv6-hf8q-pxx2",
"modified": "2024-04-29T15:30:30Z",
"published": "2024-04-29T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1579"
},
{
"type": "WEB",
"url": "https://www.secomea.com/support/cybersecurity-advisory"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6FCJ-RV73-F37C
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2024-03-25 18:30An issue was discovered in beta versions of the 1Password command-line tool prior to 0.5.5 and in beta versions of the 1Password SCIM bridge prior to 0.7.3. An insecure random number generator was used to generate various keys. An attacker with access to the user's encrypted data may be able to perform brute-force calculations of encryption keys and thus succeed at decryption.
{
"affected": [],
"aliases": [
"CVE-2020-10256"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-27T14:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in beta versions of the 1Password command-line tool prior to 0.5.5 and in beta versions of the 1Password SCIM bridge prior to 0.7.3. An insecure random number generator was used to generate various keys. An attacker with access to the user\u0027s encrypted data may be able to perform brute-force calculations of encryption keys and thus succeed at decryption.",
"id": "GHSA-6fcj-rv73-f37c",
"modified": "2024-03-25T18:30:56Z",
"published": "2022-05-24T17:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10256"
},
{
"type": "WEB",
"url": "https://support.1password.com/command-line"
},
{
"type": "WEB",
"url": "https://support.1password.com/kb/202010"
},
{
"type": "WEB",
"url": "https://support.1password.com/scim"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7542-V6GH-MFVW
Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2024-04-03 23:52lib/libc/stdlib/random.c in OpenBSD returns 0 when seeded with 0.
{
"affected": [],
"aliases": [
"CVE-2012-1577"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-10T19:15:00Z",
"severity": "CRITICAL"
},
"details": "lib/libc/stdlib/random.c in OpenBSD returns 0 when seeded with 0.",
"id": "GHSA-7542-v6gh-mfvw",
"modified": "2024-04-03T23:52:49Z",
"published": "2022-04-23T00:40:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1577"
},
{
"type": "WEB",
"url": "https://github.com/ensc/dietlibc/blob/master/CHANGES"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-1577"
},
{
"type": "WEB",
"url": "http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/random.c#rev1.16"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/03/23/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-76MM-6XM9-HWPX
Vulnerability from github – Published: 2026-04-01 21:30 – Updated: 2026-04-01 21:30Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in a Pseudo-Random Number Generator (PRNG).
{
"affected": [],
"aliases": [
"CVE-2026-25835"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-01T19:16:28Z",
"severity": "HIGH"
},
"details": "Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in a Pseudo-Random Number Generator (PRNG).",
"id": "GHSA-76mm-6xm9-hwpx",
"modified": "2026-04-01T21:30:30Z",
"published": "2026-04-01T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25835"
},
{
"type": "WEB",
"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories"
},
{
"type": "WEB",
"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-rng-cloning"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7MGV-QHC8-MRRG
Vulnerability from github – Published: 2022-04-09 00:00 – Updated: 2022-04-15 00:00Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise.
{
"affected": [],
"aliases": [
"CVE-2022-26852"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-08T20:15:00Z",
"severity": "CRITICAL"
},
"details": "Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise.",
"id": "GHSA-7mgv-qhc8-mrrg",
"modified": "2022-04-15T00:00:53Z",
"published": "2022-04-09T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26852"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000197991/dell-emc-powerscale-onefs-security-update-for-multiple-component-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-82RP-XG3C-HXPX
Vulnerability from github – Published: 2022-01-29 00:00 – Updated: 2022-10-07 18:15Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.
{
"affected": [],
"aliases": [
"CVE-2016-3735"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-28T20:15:00Z",
"severity": "HIGH"
},
"details": "Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.",
"id": "GHSA-82rp-xg3c-hxpx",
"modified": "2022-10-07T18:15:58Z",
"published": "2022-01-29T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3735"
},
{
"type": "WEB",
"url": "https://github.com/Piwigo/Piwigo/issues/470,"
},
{
"type": "WEB",
"url": "https://github.com/Piwigo/Piwigo/commit/f51ee90c66527fd7ff634f3e8d414cb670da068d"
},
{
"type": "WEB",
"url": "http://piwigo.org/release-2.8.1,"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-85QJ-2CFQ-3WP8
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-07-13 00:01An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
{
"affected": [],
"aliases": [
"CVE-2021-31922"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-14T01:15:00Z",
"severity": "HIGH"
},
"details": "An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.",
"id": "GHSA-85qj-2cfq-3wp8",
"modified": "2022-07-13T00:01:25Z",
"published": "2022-05-24T19:02:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31922"
},
{
"type": "WEB",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44790"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8P8F-C57X-4QW8
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be bruteforced, leading to trivial privilege escalation attacks.
{
"affected": [],
"aliases": [
"CVE-2019-10908"
],
"database_specific": {
"cwe_ids": [
"CWE-335"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-07T14:29:00Z",
"severity": "CRITICAL"
},
"details": "In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be bruteforced, leading to trivial privilege escalation attacks.",
"id": "GHSA-8p8f-c57x-4qw8",
"modified": "2022-05-13T01:07:57Z",
"published": "2022-05-13T01:07:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10908"
},
{
"type": "WEB",
"url": "https://github.com/airsonic/airsonic/commit/61c842923a6d60d4aedd126445a8437b53b752c8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8VX9-59H6-X23V
Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10An issue was discovered on the D-Link DWR-932B router. WPS PIN generation is based on srand(time(0)) seeding.
{
"affected": [],
"aliases": [
"CVE-2016-10180"
],
"database_specific": {
"cwe_ids": [
"CWE-1241",
"CWE-330",
"CWE-335",
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-30T04:59:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered on the D-Link DWR-932B router. WPS PIN generation is based on srand(time(0)) seeding.",
"id": "GHSA-8vx9-59h6-x23v",
"modified": "2022-05-13T01:10:32Z",
"published": "2022-05-13T01:10:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10180"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95877"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.