CVE-2010-1128

2010-03-2620:30:00

CWE-310

[email protected]

web.nvd.nist.gov

cve-2010-1128

php

linear congruential generator

entropy

uniqid function

6.2 Medium

AI Score

Confidence

Low

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.009 Low

EPSS

Percentile

82.9%

JSON

The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy, which makes it easier for context-dependent attackers to guess values that were intended to be unpredictable, as demonstrated by session cookies generated by using the uniqid function.

CPENameOperatorVersion
php:phpphpeq5.2.9
php:phpphpeq5.2.7
php:phpphpeq5.2.2
php:phpphpeq5.2.5
php:phpphple5.2.12
php:phpphpeq5.2.11
php:phpphpeq5.2.6
php:phpphpeq5.2.3
php:phpphpeq5.2.0
php:phpphpeq5.2.4

CPE	Name	Operator	Version
php:php	php	eq	5.2.9
php:php	php	eq	5.2.7
php:php	php	eq	5.2.2
php:php	php	eq	5.2.5
php:php	php	le	5.2.12
php:php	php	eq	5.2.11
php:php	php	eq	5.2.6
php:php	php	eq	5.2.3
php:php	php	eq	5.2.0
php:php	php	eq	5.2.4