CWE-331
Insufficient Entropy
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
CVE-2023-36610 (GCVE-0-2023-36610)
Vulnerability from cvelistv5 – Published: 2023-07-03 20:01 – Updated: 2024-10-25 13:08
VLAI
Summary
The affected TBox RTUs generate software security tokens using insufficient entropy. The random seed used to generate the software tokens is not initialized correctly, and other parts of the token are generated using predictable time-based values. An attacker with this knowledge could successfully brute force the token and authenticate themselves.
Severity
5.9 (Medium)
CWE
- CWE-331 - Insufficient Entropy
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cisa.gov/news-events/ics-advisories/i… | government-resource |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Ovarro | TBox MS-CPU32 |
Affected:
0 , ≤ 1.50.598
(custom)
|
|
| Ovarro | TBox MS-CPU32-S2 |
Affected:
0 , ≤ 1.50.598
(custom)
|
|
| Ovarro | TBox LT2 |
Affected:
0 , ≤ 1.50.598
(custom)
|
|
| Ovarro | TBox TG2 |
Affected:
0 , ≤ 1.50.598
(custom)
|
|
| Ovarro | TBox RM2 |
Affected:
0 , ≤ 1.50.598
(custom)
|
Date Public
2023-06-29 18:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:52:54.193Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"government-resource",
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36610",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T13:04:55.721103Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T13:08:23.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TBox MS-CPU32",
"vendor": "Ovarro",
"versions": [
{
"lessThanOrEqual": "1.50.598",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "\u200bTBox MS-CPU32-S2",
"vendor": "Ovarro",
"versions": [
{
"lessThanOrEqual": "1.50.598",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TBox LT2",
"vendor": "Ovarro",
"versions": [
{
"lessThanOrEqual": "1.50.598",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TBox TG2",
"vendor": "Ovarro",
"versions": [
{
"lessThanOrEqual": "1.50.598",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "TBox RM2",
"vendor": "Ovarro",
"versions": [
{
"lessThanOrEqual": "1.50.598",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Floris Hendriks"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jeroen Wijenbergh"
},
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Radboud University"
}
],
"datePublic": "2023-06-29T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u200bThe affected TBox RTUs generate software security tokens using insufficient entropy. The random seed used to generate the software tokens is not initialized correctly, and other parts of the token are generated using predictable time-based values. An attacker with this knowledge could successfully brute force the token and authenticate themselves.\u003c/span\u003e\n\n"
}
],
"value": "\n\u200bThe affected TBox RTUs generate software security tokens using insufficient entropy. The random seed used to generate the software tokens is not initialized correctly, and other parts of the token are generated using predictable time-based values. An attacker with this knowledge could successfully brute force the token and authenticate themselves.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-03T20:01:31.978Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-36610",
"datePublished": "2023-07-03T20:01:31.978Z",
"dateReserved": "2023-06-23T20:39:08.361Z",
"dateUpdated": "2024-10-25T13:08:23.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4344 (GCVE-0-2023-4344)
Vulnerability from cvelistv5 – Published: 2023-08-15 18:25 – Updated: 2025-11-04 16:10
VLAI
Title
Broadcom RAID Controller web interface is vulnerable to insufficient randomness due to improper use of ssl.rnd to setup CIM connection
Summary
Broadcom RAID Controller web interface is vulnerable to insufficient randomness due to improper use of ssl.rnd to setup CIM connection
Severity
9.8 (Critical)
CWE
- CWE-331 - Insufficient Entropy
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Broadcom | LSI Storage Authority (LSA) |
Affected:
0 , < 7.017.011.000
(custom)
|
|
| Intel | RAID Web Console 3 (RWC3) |
Affected:
0 , < 7.017.011.000
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:10:36.254Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.broadcom.com/support/resources/product-security-center"
},
{
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00926.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-4344",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T19:24:49.458889Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T19:26:09.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "LSI Storage Authority (LSA)",
"vendor": "Broadcom",
"versions": [
{
"lessThan": "7.017.011.000",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "RAID Web Console 3 (RWC3)",
"vendor": "Intel",
"versions": [
{
"lessThan": "7.017.011.000",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Intel DCG"
}
],
"descriptions": [
{
"lang": "en",
"value": "Broadcom RAID Controller web interface is vulnerable to insufficient randomness due to improper use of ssl.rnd to setup CIM connection"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331: Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T21:58:03.947Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.broadcom.com/support/resources/product-security-center"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue is fixed in 7.017.011.000. For more information please contact your Broadcom representative."
}
],
"value": "This issue is fixed in 7.017.011.000. For more information please contact your Broadcom representative."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Broadcom RAID Controller web interface is vulnerable to insufficient randomness due to improper use of ssl.rnd to setup CIM connection",
"x_generator": {
"engine": "cveClient/1.0.15"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2023-4344",
"datePublished": "2023-08-15T18:25:34.072Z",
"dateReserved": "2023-08-14T21:29:52.908Z",
"dateUpdated": "2025-11-04T16:10:36.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46648 (GCVE-0-2023-46648)
Vulnerability from cvelistv5 – Published: 2023-12-21 20:45 – Updated: 2024-08-02 20:53
VLAI
Title
Insufficient Entropy in GitHub Enterprise Server Management Console Invitation Token
Summary
An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program.
Severity
8.3 (High)
CWE
- CWE-331 - Insufficient Entropy
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| GitHub | Enterprise Server |
Affected:
3.8.0 , < 3.8.12
(semver)
Affected: 3.9.0 , < 3.9.7 (semver) Affected: 3.10.0 , < 3.10.4 (semver) Affected: 3.11.0 , < 3.11.1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:20.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"lessThan": "3.8.12",
"status": "affected",
"version": "3.8.0",
"versionType": "semver"
},
{
"lessThan": "3.9.7",
"status": "affected",
"version": "3.9.0",
"versionType": "semver"
},
{
"lessThan": "3.10.4",
"status": "affected",
"version": "3.10.0",
"versionType": "semver"
},
{
"lessThan": "3.11.1",
"status": "affected",
"version": "3.11.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Imre Rad"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e"
}
],
"value": "An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-112",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-112 Brute Force"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-21T20:45:45.845Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4"
},
{
"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insufficient Entropy in GitHub Enterprise Server Management Console Invitation Token",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2023-46648",
"datePublished": "2023-12-21T20:45:45.845Z",
"dateReserved": "2023-10-24T13:41:13.390Z",
"dateUpdated": "2024-08-02T20:53:20.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49599 (GCVE-0-2023-49599)
Vulnerability from cvelistv5 – Published: 2024-01-10 15:48 – Updated: 2025-11-04 18:19
VLAI
Summary
An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted series of HTTP requests can lead to privilege escalation. An attacker can gather system information via HTTP requests and brute force the salt offline, leading to forging a legitimate password recovery code for the admin user.
Severity
9.8 (Critical)
CWE
- CWE-331 - Insufficient Entropy
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:19:44.073Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1900",
"tags": [
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1900"
},
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1900"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-30T18:15:41.930633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:59:16.300Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AVideo",
"vendor": "WWBN",
"versions": [
{
"status": "affected",
"version": "dev master commit 15fed957fb"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Claudio Bozzato of Cisco Talos."
}
],
"descriptions": [
{
"lang": "en",
"value": "An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted series of HTTP requests can lead to privilege escalation. An attacker can gather system information via HTTP requests and brute force the salt offline, leading to forging a legitimate password recovery code for the admin user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331: Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-12T18:38:44.344Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1900",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1900"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2023-49599",
"datePublished": "2024-01-10T15:48:07.636Z",
"dateReserved": "2023-12-07T15:58:13.801Z",
"dateUpdated": "2025-11-04T18:19:44.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-22473 (GCVE-0-2024-22473)
Vulnerability from cvelistv5 – Published: 2024-02-21 18:13 – Updated: 2024-09-27 16:06
VLAI
Title
Uninitialized TRNG used for ECDSA after EM2/EM3 sleep for VSE devices
Summary
TRNG is used before initialization by ECDSA signing driver when exiting EM2/EM3 on Virtual Secure Vault (VSE) devices. This defect may allow Signature Spoofing by Key Recreation.This issue affects Gecko SDK through v4.4.0.
Severity
6.8 (Medium)
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| silabs.com | GSDK |
Affected:
0 , ≤ 4.4.0
(4.4.x and earlier)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22473",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T20:24:22.961810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:52.747Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:51:09.859Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://community.silabs.com/068Vm000001FrjT"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"ARM"
],
"product": "GSDK",
"repo": "https://github.com/SiliconLabs/gecko_sdk/releases",
"vendor": "silabs.com",
"versions": [
{
"lessThanOrEqual": "4.4.0",
"status": "affected",
"version": "0",
"versionType": "4.4.x and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "TRNG is used before initialization by ECDSA signing driver when exiting EM2/EM3 on Virtual Secure Vault (VSE) devices. This defect may allow Signature Spoofing by Key Recreation.\u003cp\u003eThis issue affects Gecko SDK through v4.4.0.\u003c/p\u003e"
}
],
"value": "TRNG is used before initialization by ECDSA signing driver when exiting EM2/EM3 on Virtual Secure Vault (VSE) devices. This defect may allow Signature Spoofing by Key Recreation.This issue affects Gecko SDK through v4.4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-474",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-474 Signature Spoofing by Key Theft"
}
]
},
{
"capecId": "CAPEC-485",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-485 Signature Spoofing by Key Recreation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1279",
"description": "CWE-1279 Cryptographic Operations are run Before Supporting Units are Ready",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T16:06:44.910Z",
"orgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
"shortName": "Silabs"
},
"references": [
{
"url": "https://community.silabs.com/068Vm000001FrjT"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Uninitialized TRNG used for ECDSA after EM2/EM3 sleep for VSE devices",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
"assignerShortName": "Silabs",
"cveId": "CVE-2024-22473",
"datePublished": "2024-02-21T18:13:10.241Z",
"dateReserved": "2024-01-10T19:20:24.393Z",
"dateUpdated": "2024-09-27T16:06:44.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36400 (GCVE-0-2024-36400)
Vulnerability from cvelistv5 – Published: 2024-06-04 14:11 – Updated: 2024-08-02 03:37
VLAI
Title
nano-id is unable to generate the correct character set
Summary
nano-id is a unique string ID generator for Rust. Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that `nano_id::base64` is not affected by this vulnerability. This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. The vulnerability is fixed in 0.4.0.
Severity
9.4 (Critical)
CWE
- CWE-331 - Insufficient Entropy
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/viz-rs/nano-id/security/adviso… | x_refsource_CONFIRM |
| https://github.com/viz-rs/nano-id/commit/a9022772… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:viz-rs:nano-id:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nano-id",
"vendor": "viz-rs",
"versions": [
{
"lessThan": "0.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36400",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-04T15:30:53.603245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T05:15:37.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.234Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/viz-rs/nano-id/security/advisories/GHSA-9hc7-6w9r-wj94",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/viz-rs/nano-id/security/advisories/GHSA-9hc7-6w9r-wj94"
},
{
"name": "https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "nano-id",
"vendor": "viz-rs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "nano-id is a unique string ID generator for Rust. Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that `nano_id::base64` is not affected by this vulnerability. This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. The vulnerability is fixed in 0.4.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331: Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T14:11:26.945Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/viz-rs/nano-id/security/advisories/GHSA-9hc7-6w9r-wj94",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/viz-rs/nano-id/security/advisories/GHSA-9hc7-6w9r-wj94"
},
{
"name": "https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23"
}
],
"source": {
"advisory": "GHSA-9hc7-6w9r-wj94",
"discovery": "UNKNOWN"
},
"title": "nano-id is unable to generate the correct character set"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36400",
"datePublished": "2024-06-04T14:11:26.945Z",
"dateReserved": "2024-05-27T15:59:57.030Z",
"dateUpdated": "2024-08-02T03:37:05.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38270 (GCVE-0-2024-38270)
Vulnerability from cvelistv5 – Published: 2024-09-10 01:20 – Updated: 2024-09-10 15:15
VLAI
Summary
An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0. This vulnerability could allow a LAN-based attacker a slight chance to gain a valid session token if multiple authenticated sessions are alive.
Severity
5.3 (Medium)
CWE
- CWE-331 - Insufficient Entropy
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.zyxel.com/global/en/support/security-… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Zyxel | GS1900-10HP firmware |
Affected:
V2.80(AAZI.0)C0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:13:31.308353Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T15:15:34.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GS1900-10HP firmware",
"vendor": "Zyxel",
"versions": [
{
"status": "affected",
"version": "V2.80(AAZI.0)C0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0. This vulnerability could allow a LAN-based attacker a slight chance to gain a valid session token if multiple authenticated sessions are alive."
}
],
"value": "An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0. This vulnerability could allow a LAN-based attacker a slight chance to gain a valid session token if multiple authenticated sessions are alive."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T01:20:09.147Z",
"orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
"shortName": "Zyxel"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficient-entropy-vulnerability-for-web-authentication-tokens-generation-in-gs1900-series-switches-09-10-2024"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
"assignerShortName": "Zyxel",
"cveId": "CVE-2024-38270",
"datePublished": "2024-09-10T01:20:09.147Z",
"dateReserved": "2024-06-12T09:11:12.898Z",
"dateUpdated": "2024-09-10T15:15:34.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52322 (GCVE-0-2024-52322)
Vulnerability from cvelistv5 – Published: 2025-04-05 16:19 – Updated: 2025-09-05 13:18
VLAI
Title
WebService::Xero 0.11 for Perl uses insecure rand() function for cryptographic functions
Summary
WebService::Xero 0.11 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
Specifically WebService::Xero uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
Severity
5.5 (Medium)
CWE
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LOCALSHOP | WebService::Xero |
Affected:
0 , ≤ 0.11
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-52322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T14:31:25.607874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:27:17.265Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "WebService-Xero",
"product": "WebService::Xero",
"programFiles": [
"lib/WebService/Xero/Agent/PublicApplication.pm",
"lib/WebService/Xero/Agent.pm"
],
"vendor": "LOCALSHOP",
"versions": [
{
"lessThanOrEqual": "0.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Rothenberg (RRWO)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "WebService::Xero 0.11 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\u003cbr\u003e\u003cbr\u003eSpecifically WebService::Xero uses the Data::Random library which specifically states that it is \"\u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003eUseful mostly for test programs\u003c/span\u003e\". Data::Random uses the rand() function."
}
],
"value": "WebService::Xero 0.11 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\n\nSpecifically WebService::Xero uses the Data::Random library which specifically states that it is \"Useful mostly for test programs\". Data::Random uses the rand() function."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T13:18:07.029Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://perldoc.perl.org/functions/rand"
},
{
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"url": "https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537"
},
{
"url": "https://metacpan.org/release/LOCALSHOP/WebService-Xero-0.11/source/lib/WebService/Xero/Agent.pm#L17"
},
{
"url": "https://metacpan.org/release/LOCALSHOP/WebService-Xero-0.11/source/lib/WebService/Xero/Agent.pm#L178"
},
{
"url": "https://metacpan.org/release/LOCALSHOP/WebService-Xero-0.11/source/lib/WebService/Xero/Agent/PublicApplication.pm#L13"
},
{
"url": "https://metacpan.org/release/LOCALSHOP/WebService-Xero-0.11/source/lib/WebService/Xero/Agent/PublicApplication.pm#L93"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WebService::Xero 0.11 for Perl uses insecure rand() function for cryptographic functions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-52322",
"datePublished": "2025-04-05T16:19:16.490Z",
"dateReserved": "2025-03-26T14:00:56.456Z",
"dateUpdated": "2025-09-05T13:18:07.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56370 (GCVE-0-2024-56370)
Vulnerability from cvelistv5 – Published: 2025-04-05 18:26 – Updated: 2025-09-05 13:18
VLAI
Title
Net::Xero 0.044 and earlier for Perl uses insecure rand() function for cryptographic functions
Summary
Net::Xero 0.044 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
Specifically Net::Xero uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
Severity
6.5 (Medium)
CWE
Assigner
References
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56370",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:44:45.535548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T17:45:24.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-Xero",
"product": "Net::Xero",
"programFiles": [
"lib/Net/Xero.pm"
],
"vendor": "ELLIOTT",
"versions": [
{
"lessThanOrEqual": "0.44",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Rothenberg (RRWO)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Net::Xero 0.044 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\u003cbr\u003e\u003cbr\u003eSpecifically Net::Xero uses the Data::Random library which specifically states that it is \"\u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003eUseful mostly for test programs\u003c/span\u003e\". Data::Random uses the rand() function."
}
],
"value": "Net::Xero 0.044 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\n\nSpecifically Net::Xero uses the Data::Random library which specifically states that it is \"Useful mostly for test programs\". Data::Random uses the rand() function."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T13:18:38.369Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://perldoc.perl.org/functions/rand"
},
{
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"url": "https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537"
},
{
"url": "https://metacpan.org/release/ELLIOTT/Net-Xero-0.44/source/lib/Net/Xero.pm#L58"
},
{
"url": "https://metacpan.org/release/ELLIOTT/Net-Xero-0.44/source/lib/Net/Xero.pm#L9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::Xero 0.044 and earlier for Perl uses insecure rand() function for cryptographic functions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-56370",
"datePublished": "2025-04-05T18:26:22.102Z",
"dateReserved": "2025-03-26T14:00:56.418Z",
"dateUpdated": "2025-09-05T13:18:38.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57868 (GCVE-0-2024-57868)
Vulnerability from cvelistv5 – Published: 2025-04-05 15:35 – Updated: 2025-09-05 13:18
VLAI
Title
Web::API 2.8 and earlier for Perl uses insecure rand() function for cryptographic functions
Summary
Web::API 2.8 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
Specifically Web::API uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
Severity
5.5 (Medium)
CWE
Assigner
References
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57868",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T14:34:20.328851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:29:17.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Web-API",
"product": "Web::API",
"programFiles": [
"lib/Web/API.pm"
],
"vendor": "LEV",
"versions": [
{
"lessThanOrEqual": "2.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Rothenberg (RRWO)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Web::API 2.8 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\u003cbr\u003e\u003cbr\u003eSpecifically Web::API uses the Data::Random library which specifically states that it is \"\u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003eUseful mostly for test programs\u003c/span\u003e\". Data::Random uses the rand() function."
}
],
"value": "Web::API 2.8 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\n\nSpecifically Web::API uses the Data::Random library which specifically states that it is \"Useful mostly for test programs\". Data::Random uses the rand() function."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T13:18:59.781Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://perldoc.perl.org/functions/rand"
},
{
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"url": "https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537"
},
{
"url": "https://metacpan.org/dist/Web-API/source/lib/Web/API.pm#L20"
},
{
"url": "https://metacpan.org/dist/Web-API/source/lib/Web/API.pm#L348"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Web::API 2.8 and earlier for Perl uses insecure rand() function for cryptographic functions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-57868",
"datePublished": "2025-04-05T15:35:05.802Z",
"dateReserved": "2025-03-26T14:00:56.441Z",
"dateUpdated": "2025-09-05T13:18:59.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Implementation
Description:
- Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.