Common Weakness Enumeration

CWE-338

Allowed

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Abstraction: Base · Status: Draft

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

295 vulnerabilities reference this CWE, most recent first.

GHSA-34WX-V4H8-8XH4

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

Use of cryptographically weak pseudo-random number generator (PRNG) in an API for the Intel(R) Security Library before version 3.3 may allow an authenticated user to potentially enable information disclosure via network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Use of cryptographically weak pseudo-random number generator (PRNG) in an API for the Intel(R) Security Library before version 3.3 may allow an authenticated user to potentially enable information disclosure via network access.",
  "id": "GHSA-34wx-v4h8-8xh4",
  "modified": "2022-05-24T19:04:23Z",
  "published": "2022-05-24T19:04:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0131"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00521.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3585-G468-XFC2

Vulnerability from github – Published: 2026-07-08 06:31 – Updated: 2026-07-08 06:31
VLAI
Details

The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because dologin\s::rrand() seeds the Mersenne Twister with mt_srand((double) microtime() * 1000000) — discarding the integer-seconds component of microtime() and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with mt_rand(), making the entire token a deterministic function of that seed. Because Pswdless::try_login() is registered on the unauthenticated init hook, resolves the target account by the auto-increment numeric ID embedded in the ?dologin=<id>.<hash> parameter, performs the hash comparison using a non-constant-time != operator, and then calls wp_set_auth_cookie() directly — never passing through wp_authenticate() and therefore never triggering the plugin's own Auth::_has_login_err() lockout — an unauthenticated attacker can brute-force the ~10^6-candidate seed space to reconstruct an active passwordless login token and authenticate as any targeted user, including administrators, without a password. Exploitation requires that a valid, unexpired passwordless login link (active for up to 7 days) exists for the target account at the time of the attack, and that the numeric link ID is known or guessable from the auto-increment primary key.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-08T06:16:22Z",
    "severity": "HIGH"
  },
  "details": "The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin\\s::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` \u2014 discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) \u2014 after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed. Because `Pswdless::try_login()` is registered on the unauthenticated `init` hook, resolves the target account by the auto-increment numeric ID embedded in the `?dologin=\u003cid\u003e.\u003chash\u003e` parameter, performs the hash comparison using a non-constant-time `!=` operator, and then calls `wp_set_auth_cookie()` directly \u2014 never passing through `wp_authenticate()` and therefore never triggering the plugin\u0027s own `Auth::_has_login_err()` lockout \u2014 an unauthenticated attacker can brute-force the ~10^6-candidate seed space to reconstruct an active passwordless login token and authenticate as any targeted user, including administrators, without a password. Exploitation requires that a valid, unexpired passwordless login link (active for up to 7 days) exists for the target account at the time of the attack, and that the numeric link ID is known or guessable from the auto-increment primary key.",
  "id": "GHSA-3585-g468-xfc2",
  "modified": "2026-07-08T06:31:36Z",
  "published": "2026-07-08T06:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14495"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dologin/tags/4.3/src/pswdless.cls.php#L197"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dologin/tags/4.3/src/pswdless.cls.php#L27"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dologin/tags/4.3/src/pswdless.cls.php#L86"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dologin/tags/4.3/src/s.cls.php#L240"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16bce371-b524-48eb-8537-3f9df802abd3?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-38M3-MRRG-HX5G

Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:49
VLAI
Details

Use of cryptographically weak PRNG in the password recovery token generation of Revive Adserver < v4.2.1 causes a potential authentication bypass attack if an attacker exploits the password recovery functionality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5440"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-28T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "Use of cryptographically weak PRNG in the password recovery token generation of Revive Adserver \u003c v4.2.1 causes a potential authentication bypass attack if an attacker exploits the password recovery functionality.",
  "id": "GHSA-38m3-mrrg-hx5g",
  "modified": "2024-04-04T00:49:09Z",
  "published": "2022-05-24T16:46:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5440"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/576504"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-39PQ-3MH9-M5QG

Vulnerability from github – Published: 2022-11-07 12:00 – Updated: 2025-06-24 18:33
VLAI
Details

An issue was discovered in Object First 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowing credentials. For signing, the JWT token uses a secret key that is generated through a function that doesn't produce cryptographically strong sequences. An attacker can predict these sequences and generate a JWT token. As a result, an attacker can get access to the Web UI. This is fixed in 1.0.13.1611.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-44796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-07T04:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Object First 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowing credentials. For signing, the JWT token uses a secret key that is generated through a function that doesn\u0027t produce cryptographically strong sequences. An attacker can predict these sequences and generate a JWT token. As a result, an attacker can get access to the Web UI. This is fixed in 1.0.13.1611.",
  "id": "GHSA-39pq-3mh9-m5qg",
  "modified": "2025-06-24T18:33:07Z",
  "published": "2022-11-07T12:00:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44796"
    },
    {
      "type": "WEB",
      "url": "https://objectfirst.com/security/of-20221024-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3M67-FQ74-F4QG

Vulnerability from github – Published: 2026-06-18 21:32 – Updated: 2026-06-18 21:32
VLAI
Details

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely.

The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID.

These are predictable or low-entropy sources that are unsuitable for security purposes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-18T19:16:23Z",
    "severity": "MODERATE"
  },
  "details": "Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely.\n\nThe default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID.\n\nThese are predictable or low-entropy sources that are unsuitable for security purposes.",
  "id": "GHSA-3m67-fq74-f4qg",
  "modified": "2026-06-18T21:32:34Z",
  "published": "2026-06-18T21:32:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9692"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/HAYAJO/Mojolicious-Plugin-SessionStore-0.05/source/lib/Mojolicious/Sessions/Storable.pm#L11-15"
    },
    {
      "type": "WEB",
      "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
    },
    {
      "type": "WEB",
      "url": "https://security.metacpan.org/patches/M/Mojolicious-Plugin-SessionStore/0.05/CVE-2026-9692-r1.patch"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-40923"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3R5V-GMFP-3MH9

Vulnerability from github – Published: 2025-05-03 12:30 – Updated: 2026-06-05 15:32
VLAI
Details

Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets.

When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-58135"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-03T11:15:48Z",
    "severity": "MODERATE"
  },
  "details": "Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets.\n\nWhen creating a default app with the \"mojo generate app\" tool, a weak secret is written to the application\u0027s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application\u0027s sessions. This may allow an attacker to brute force the application\u0027s session keys.",
  "id": "GHSA-3r5v-gmfp-3mh9",
  "modified": "2026-06-05T15:32:03Z",
  "published": "2025-05-03T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58135"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashcat/hashcat/pull/4090"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mojolicious/mojo/pull/2200"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mojolicious/mojo/commit/789cfa43f9118852b38cbd1fd0a2596bcb9821ea.patch"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mojolicious/mojo/commit/fb3733f92cc8a3344e6d615b3c7dac9d538eeab0.patch"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-perl/2025/05/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-perl/2025/05/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-perl/2025/05/msg00018.html"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/SRI/Mojolicious-9.46/source/Changes"
    },
    {
      "type": "WEB",
      "url": "https://perldoc.perl.org/functions/rand"
    },
    {
      "type": "WEB",
      "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3RRQ-P5GV-7828

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

Poor cryptographic salt initialization in admin/inc/template_functions.php in GetSimple CMS 3.3.13 allows a network attacker to escalate privileges to an arbitrary user or conduct CSRF attacks via calculation of a session cookie or CSRF nonce.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8081"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-30T19:59:00Z",
    "severity": "HIGH"
  },
  "details": "Poor cryptographic salt initialization in admin/inc/template_functions.php in GetSimple CMS 3.3.13 allows a network attacker to escalate privileges to an arbitrary user or conduct CSRF attacks via calculation of a session cookie or CSRF nonce.",
  "id": "GHSA-3rrq-p5gv-7828",
  "modified": "2022-05-13T01:47:16Z",
  "published": "2022-05-13T01:47:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8081"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1224"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3RW7-PF56-37CV

Vulnerability from github – Published: 2026-06-12 18:31 – Updated: 2026-06-12 18:31
VLAI
Details

Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts.

These versions use the built-in rand function, which is predictable and unsuitable for cryptography.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9638"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-12T16:16:34Z",
    "severity": "HIGH"
  },
  "details": "Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts.\n\nThese versions use the built-in rand function, which is predictable and unsuitable for cryptography.",
  "id": "GHSA-3rw7-pf56-37cv",
  "modified": "2026-06-12T18:31:59Z",
  "published": "2026-06-12T18:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9638"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/dist/Crypt-PBKDF2/source/lib/Crypt/PBKDF2.pm#L86-93"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/12/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3VCR-G3HM-2QR2

Vulnerability from github – Published: 2026-04-08 06:31 – Updated: 2026-04-08 21:33
VLAI
Details

Ado::Sessions versions through 0.935 for Perl generates insecure session ids.

The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Predicable session ids could allow an attacker to gain access to systems.

Note that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5083"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T06:16:29Z",
    "severity": "MODERATE"
  },
  "details": "Ado::Sessions versions through 0.935 for Perl generates insecure session ids.\n\nThe session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredicable session ids could allow an attacker to gain access to systems.\n\nNote that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN.",
  "id": "GHSA-3vcr-g3hm-2qr2",
  "modified": "2026-04-08T21:33:26Z",
  "published": "2026-04-08T06:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5083"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kberov/Ado/issues/112"
    },
    {
      "type": "WEB",
      "url": "https://backpan.perl.org/authors/id/B/BE/BEROV/Ado-0.935.tar.gz"
    },
    {
      "type": "WEB",
      "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/08/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-42F3-32Q6-X99R

Vulnerability from github – Published: 2025-07-16 15:32 – Updated: 2025-07-16 21:30
VLAI
Details

Authen::DigestMD5 versions 0.01 through 0.02 for Perl generate the cnonce insecurely.

The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

According to RFC 2831, "The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-16T14:15:25Z",
    "severity": "MODERATE"
  },
  "details": "Authen::DigestMD5 versions 0.01 through 0.02 for Perl generate the cnonce insecurely.\n\nThe cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nAccording to RFC 2831, \"The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy.\"",
  "id": "GHSA-42f3-32q6-x99r",
  "modified": "2025-07-16T21:30:35Z",
  "published": "2025-07-16T15:32:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40919"
    },
    {
      "type": "WEB",
      "url": "https://datatracker.ietf.org/doc/html/rfc2831"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/SALVA/Authen-DigestMD5-0.01/source/DigestMD5.pm#L126"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.

No CAPEC attack patterns related to this CWE.