Total
89 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-29505 | 2 Dell, Oracle | 3 Bsafe Crypto-c-micro-edition, Bsafe Micro-edition-suite, Retail Customer Insights | 2024-11-21 | 5.0 MEDIUM | 7.1 HIGH |
| Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain a Key Management Error Vulnerability. | |||||
| CVE-2020-28924 | 2 Fedoraproject, Rclone | 2 Fedora, Rclone | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed. | |||||
| CVE-2020-25926 | 1 Hcc-embedded | 1 Nichestack Tcp\/ip | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The DNS client in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Insufficient entropy in the DNS transaction id. The impact is: DNS cache poisoning (remote). The component is: dns_query_type(). The attack vector is: a specific DNS response packet. | |||||
| CVE-2020-1773 | 1 Otrs | 1 Otrs | 2024-11-21 | 5.5 MEDIUM | 7.3 HIGH |
| An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions. | |||||
| CVE-2020-12735 | 1 Domainmod | 1 Domainmod | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| reset.php in DomainMOD 4.13.0 uses insufficient entropy for password reset requests, leading to account takeover. | |||||
| CVE-2020-11957 | 1 Cypress | 1 Psoc 4.2 Ble | 2024-11-21 | 5.4 MEDIUM | 7.5 HIGH |
| The Bluetooth Low Energy implementation in Cypress PSoC Creator BLE 4.2 component versions before 3.64 generates a random number (Pairing Random) with significantly less entropy than the specified 128 bits during BLE pairing. This is the case for both authenticated and unauthenticated pairing with both LE Secure Connections as well as LE Legacy Pairing. A predictable or brute-forceable random number allows an attacker (in radio range) to perform a MITM attack during BLE pairing. | |||||
| CVE-2020-10285 | 1 Ufactory | 2 Xarm 5 Lite, Xarm 5 Lite Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access. | |||||
| CVE-2019-9555 | 1 Sagemcom | 2 F\@st 5260, F\@st 5260 Firmware | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Sagemcom F@st 5260 routers using firmware version 0.4.39, in WPA mode, default to using a PSK that is generated from a 2-part wordlist of known values and a nonce with insufficient entropy. The number of possible PSKs is about 1.78 billion, which is too small. | |||||
| CVE-2019-15847 | 2 Gnu, Opensuse | 2 Gcc, Leap | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same. | |||||
| CVE-2019-15703 | 1 Fortinet | 1 Fortios | 2024-11-21 | 2.6 LOW | 7.5 HIGH |
| An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only. | |||||
| CVE-2019-14806 | 2 Opensuse, Palletsprojects | 2 Leap, Werkzeug | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. | |||||
| CVE-2019-14317 | 1 Wolfssl | 1 Wolfssl | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| wolfSSL and wolfCrypt 4.1.0 and earlier (formerly known as CyaSSL) generate biased DSA nonces. This allows a remote attacker to compute the long term private key from several hundred DSA signatures via a lattice attack. The issue occurs because dsa.c fixes two bits of the generated nonces. | |||||
| CVE-2019-10064 | 2 Debian, W1.fi | 2 Debian Linux, Hostapd | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743. | |||||
| CVE-2018-8435 | 1 Microsoft | 2 Windows 10, Windows Server 2016 | 2024-11-21 | 2.3 LOW | 4.2 MEDIUM |
| A security feature bypass vulnerability exists when Windows Hyper-V BIOS loader fails to provide a high-entropy source, aka "Windows Hyper-V Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. | |||||
| CVE-2018-18326 | 1 Dnnsoftware | 1 Dotnetnuke | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812. | |||||
| CVE-2018-15812 | 1 Dnnsoftware | 1 Dotnetnuke | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy. | |||||
| CVE-2018-10240 | 1 Solarwinds | 1 Serv-u | 2024-11-21 | 5.0 MEDIUM | 7.3 HIGH |
| SolarWinds Serv-U MFT before 15.1.6 HFv1 assigns authenticated users a low-entropy session token that can be included in requests to the application as a URL parameter in lieu of a session cookie. This session token's value can be brute-forced by an attacker to obtain the corresponding session cookie and hijack the user's session. | |||||
| CVE-2018-1000620 | 1 Cryptiles Project | 1 Cryptiles | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2. | |||||
| CVE-2017-2626 | 2 Freedesktop, Redhat | 6 Libice, Enterprise Linux Desktop, Enterprise Linux Server and 3 more | 2024-11-21 | 2.1 LOW | 5.2 MEDIUM |
| It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list. | |||||
| CVE-2017-2625 | 2 Redhat, X.org | 7 Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Server and 4 more | 2024-11-21 | 2.1 LOW | 6.5 MEDIUM |
| It was discovered that libXdmcp before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users' sessions. | |||||