Search
Total
22 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-46648 | 1 Github | 1 Enterprise Server | 2023-12-29 | N/A | 7.5 HIGH |
| An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2022-37401 | 1 Apache | 1 Openoffice | 2023-08-02 | N/A | 8.8 HIGH |
| Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice | |||||
| CVE-2020-29505 | 1 Dell | 2 Bsafe Crypto-c-micro-edition, Bsafe Micro-edition-suite | 2022-07-25 | 5.0 MEDIUM | 7.5 HIGH |
| Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain a Key Management Error Vulnerability. | |||||
| CVE-2022-33756 | 1 Broadcom | 1 Ca Automic Automation | 2022-06-27 | 5.0 MEDIUM | 7.5 HIGH |
| CA Automic Automation 12.2 and 12.3 contain an entropy weakness vulnerability in the Automic AutomationEngine that could allow a remote attacker to potentially access sensitive data. | |||||
| CVE-2020-28924 | 2 Fedoraproject, Rclone | 2 Fedora, Rclone | 2022-04-26 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed. | |||||
| CVE-2019-10064 | 2 Debian, W1.fi | 2 Debian Linux, Hostapd | 2022-01-01 | 5.0 MEDIUM | 7.5 HIGH |
| hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743. | |||||
| CVE-2014-8422 | 2 Atos, Unify | 8 Openscape Desk Phone Ip 35g, Openscape Desk Phone Ip 35g Eco, Openscape Desk Phone Ip 55g and 5 more | 2021-09-09 | 6.8 MEDIUM | 8.1 HIGH |
| The web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 generates session cookies with insufficient entropy, which makes it easier for remote attackers to hijack sessions via a brute-force attack. | |||||
| CVE-2020-25926 | 1 Hcc-embedded | 1 Nichestack Tcp\/ip | 2021-08-26 | 5.0 MEDIUM | 7.5 HIGH |
| The DNS client in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Insufficient entropy in the DNS transaction id. The impact is: DNS cache poisoning (remote). The component is: dns_query_type(). The attack vector is: a specific DNS response packet. | |||||
| CVE-2019-15703 | 1 Fortinet | 1 Fortios | 2021-07-21 | 2.6 LOW | 7.5 HIGH |
| An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only. | |||||
| CVE-2020-1773 | 1 Otrs | 1 Otrs | 2020-09-23 | 5.5 MEDIUM | 8.1 HIGH |
| An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions. | |||||
| CVE-2019-15847 | 2 Gnu, Opensuse | 2 Gcc, Leap | 2020-09-17 | 5.0 MEDIUM | 7.5 HIGH |
| The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same. | |||||
| CVE-2018-18326 | 1 Dnnsoftware | 1 Dotnetnuke | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812. | |||||
| CVE-2018-15812 | 1 Dnnsoftware | 1 Dotnetnuke | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy. | |||||
| CVE-2020-11957 | 1 Cypress | 1 Psoc 4.2 Ble | 2020-06-22 | 5.4 MEDIUM | 7.5 HIGH |
| The Bluetooth Low Energy implementation in Cypress PSoC Creator BLE 4.2 component versions before 3.64 generates a random number (Pairing Random) with significantly less entropy than the specified 128 bits during BLE pairing. This is the case for both authenticated and unauthenticated pairing with both LE Secure Connections as well as LE Legacy Pairing. A predictable or brute-forceable random number allows an attacker (in radio range) to perform a MITM attack during BLE pairing. | |||||
| CVE-2015-3405 | 7 Debian, Fedoraproject, Ntp and 4 more | 13 Debian Linux, Fedora, Ntp and 10 more | 2020-05-28 | 5.0 MEDIUM | 7.5 HIGH |
| ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys. | |||||
| CVE-2015-8851 | 1 Node-uuid Project | 1 Node-uuid | 2020-02-05 | 5.0 MEDIUM | 7.5 HIGH |
| node-uuid before 1.4.4 uses insufficiently random data to create a GUID, which could make it easier for attackers to have unspecified impact via brute force guessing. | |||||
| CVE-2015-7764 | 1 Netflix | 1 Lemur | 2019-12-11 | 5.0 MEDIUM | 7.5 HIGH |
| Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode. | |||||
| CVE-2017-13992 | 1 Loytec | 2 Lvis-3me, Lvis-3me Firmware | 2019-10-09 | 6.8 MEDIUM | 8.1 HIGH |
| An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not utilize sufficiently random number generation for the web interface authentication mechanism, which could allow remote code execution. | |||||
| CVE-2017-0897 | 1 Expressionengine | 1 Expressionengine | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution. | |||||
| CVE-2019-14806 | 1 Palletsprojects | 1 Werkzeug | 2019-09-11 | 5.0 MEDIUM | 7.5 HIGH |
| Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. | |||||
| CVE-2018-10240 | 1 Solarwinds | 1 Serv-u | 2018-06-25 | 5.0 MEDIUM | 7.3 HIGH |
| SolarWinds Serv-U MFT before 15.1.6 HFv1 assigns authenticated users a low-entropy session token that can be included in requests to the application as a URL parameter in lieu of a session cookie. This session token's value can be brute-forced by an attacker to obtain the corresponding session cookie and hijack the user's session. | |||||
| CVE-2014-0691 | 1 Cisco | 1 Webex Meetings Server | 2017-11-14 | 5.0 MEDIUM | 7.3 HIGH |
| Cisco WebEx Meetings Server before 1.1 uses meeting IDs with insufficient entropy, which makes it easier for remote attackers to bypass authentication and join arbitrary meetings without a password, aka Bug ID CSCuc79643. | |||||