Total
98 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-8435 | 1 Microsoft | 2 Windows 10, Windows Server 2016 | 2024-11-21 | N/A |
| A security feature bypass vulnerability exists when Windows Hyper-V BIOS loader fails to provide a high-entropy source, aka "Windows Hyper-V Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. | ||||
| CVE-2018-18326 | 1 Dnnsoftware | 1 Dotnetnuke | 2024-11-21 | 7.5 High |
| DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812. | ||||
| CVE-2018-15812 | 1 Dnnsoftware | 1 Dotnetnuke | 2024-11-21 | 7.5 High |
| DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy. | ||||
| CVE-2018-10240 | 1 Solarwinds | 1 Serv-u | 2024-11-21 | N/A |
| SolarWinds Serv-U MFT before 15.1.6 HFv1 assigns authenticated users a low-entropy session token that can be included in requests to the application as a URL parameter in lieu of a session cookie. This session token's value can be brute-forced by an attacker to obtain the corresponding session cookie and hijack the user's session. | ||||
| CVE-2018-1000620 | 1 Cryptiles Project | 1 Cryptiles | 2024-11-21 | 9.8 Critical |
| Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2. | ||||
| CVE-2017-2626 | 2 Freedesktop, Redhat | 7 Libice, Enterprise Linux, Enterprise Linux Desktop and 4 more | 2024-11-21 | N/A |
| It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list. | ||||
| CVE-2017-2625 | 2 Redhat, X.org | 7 Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Server and 4 more | 2024-11-21 | N/A |
| It was discovered that libXdmcp before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users' sessions. | ||||
| CVE-2017-18883 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 9.1 Critical |
| An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data. | ||||
| CVE-2016-4980 | 3 Ethz, Fedoraproject, Redhat | 3 Xquest, Fedora, Enterprise Linux | 2024-11-21 | 2.5 Low |
| A password generation weakness exists in xquest through 2016-06-13. | ||||
| CVE-2016-10743 | 1 W1.fi | 1 Hostapd | 2024-11-21 | 7.5 High |
| hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() function call. | ||||
| CVE-2015-8851 | 2 Node-uuid Project, Redhat | 2 Node-uuid, Openshift | 2024-11-21 | 7.5 High |
| node-uuid before 1.4.4 uses insufficiently random data to create a GUID, which could make it easier for attackers to have unspecified impact via brute force guessing. | ||||
| CVE-2015-3006 | 1 Juniper | 3 Junos, Qfx3500, Qfx3600 | 2024-11-21 | 6.5 Medium |
| On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for some time, but immediately after boot, the entropy is very low. This issue only affects the QFX3500 and QFX3600 switches. No other Juniper Networks products or platforms are affected by this weak entropy vulnerability. | ||||
| CVE-2014-8422 | 2 Atos, Unify | 8 Openscape Desk Phone Ip 35g, Openscape Desk Phone Ip 35g Eco, Openscape Desk Phone Ip 55g and 5 more | 2024-11-21 | 8.1 High |
| The web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 generates session cookies with insufficient entropy, which makes it easier for remote attackers to hijack sessions via a brute-force attack. | ||||
| CVE-2013-2260 | 1 Cryptocat Project | 1 Cryptocat | 2024-11-21 | 9.8 Critical |
| Cryptocat before 2.0.22: Cryptocat.random() Function Array Key has Entropy Weakness | ||||
| CVE-2024-20331 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense Software | 2024-11-01 | 6.8 Medium |
| A vulnerability in the session authentication functionality of the Remote Access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to prevent users from authenticating. This vulnerability is due to insufficient entropy in the authentication process. An attacker could exploit this vulnerability by determining the handle of an authenticating user and using it to terminate their authentication session. A successful exploit could allow the attacker to force a user to restart the authentication process, preventing a legitimate user from establishing remote access VPN sessions. | ||||
| CVE-2024-47945 | 2 Rittal, Rittal Gmbh And Co.kg | 5 Cmc Iii Processing Units, Cmc Iii Processing Units Firmware, Iot Interface and 2 more | 2024-10-21 | 9.1 Critical |
| The devices are vulnerable to session hijacking due to insufficient entropy in its session ID generation algorithm. The session IDs are predictable, with only 32,768 possible values per user, which allows attackers to pre-generate valid session IDs, leading to unauthorized access to user sessions. This is not only due to the use of an (insecure) rand() function call but also because of missing initialization via srand(). As a result only the PIDs are effectively used as seed. | ||||
| CVE-2024-8796 | 1 Tinfoilsecurity | 1 Devise-two-factor | 2024-09-30 | 5.3 Medium |
| Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes. | ||||
| CVE-2024-38270 | 1 Zyxel | 20 Gs1900-10hp, Gs1900-10hp Firmware, Gs1900-16 and 17 more | 2024-09-18 | 5.3 Medium |
| An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0. This vulnerability could allow a LAN-based attacker a slight chance to gain a valid session token if multiple authenticated sessions are alive. | ||||