Lucene search
K

66 matches found

Github Security Blog
Github Security Blog
added 2024/06/07 10:26 p.m.20 views

ZendFramework1 Potential Insufficient Entropy Vulnerability

We discovered several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. These random number generators are used in the following method calls: ZendLdapAttribute::createPassword ZendFormElementHash::generateHash ZendGdataHttpClient::filterHttpRequest...

6.8AI score
Exploits0References3Affected Software1
OSV
OSV
added 2024/06/07 10:25 p.m.11 views

GHSA-MG4X-PRH7-G4MX Zend-Captcha Information Disclosure and Insufficient Entropy vulnerability

In Zend Framework, ZendCaptchaWord v1 and Zend\Captcha\Word v2 generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal arrayrand function. This function does not generate...

7.5CVSS6.6AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2024/02/01 12:0 a.m.7 views

PT-2024-13199 · Objectplanet · Objectplanet Opinio

Name of the Vulnerable Software and Affected Versions: Objectplanet Opinio versions 7.22 and prior Description: The issue is related to the use of a cryptographically weak pseudo-random number generator PRNG coupled to a predictable seed, which could lead to an unauthenticated account takeover of...

9.8CVSS9.2AI score0.00621EPSS
Exploits0References8
OSV
OSV
added 2023/05/25 10:15 p.m.7 views

AZL-26870 CVE-2023-31147 affecting package fluent-bit for versions less than 2.1.10-1

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom are unavailable, c-ares uses rand to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand so will generate predictable output. Input from the random number generator i...

6.5CVSS6.7AI score0.00905EPSS
Exploits0References1
CNNVD
CNNVD
added 2023/05/25 12:0 a.m.3 views

c-ares 安全特征问题漏洞

c-ares is a C library for asynchronous DNS requests from the individual developers of c-ares. A security vulnerability exists in versions prior to c-ares 1.19.1, which stems from a lack of entropy that allows an attacker to exploit entropy by not using CSPRNG...

3.7CVSS6.4AI score0.00936EPSS
Exploits0References12
Cvelist
Cvelist
added 2023/02/07 11:25 p.m.51 views

CVE-2023-24828 Use of Cryptographically Weak Pseudo-Random Number Generator in Onedev

Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users or everyone if it allows self-registration may exploit this to elevate privilege to...

8.1CVSS8.8AI score0.00713EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2022/12/28 12:30 a.m.25 views

Golf may allow attacker to bypass CSRF protections due to weak PRNG

CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests...

8.8CVSS8.4AI score0.00382EPSS
Exploits0References7Affected Software1
CVE
CVE
added 2022/12/27 9:13 p.m.70 views

CVE-2016-15005

CVE-2016-15005 affects the Go project github.com/dinever/golf. The root cause is CSRF tokens generated with math/rand, which is not cryptographically secure, allowing an attacker to predict token values and bypass CSRF protections with relatively few requests. Impact described across sources: CSR...

8.8CVSS8.7AI score0.00382EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2022/12/06 5:18 p.m.103 views

CVE-2022-23472

Passeo (open source Python password generator) before v1.0.5 uses the Python random module for value generation, which is non-cryptographically secure. This may allow a motivated attacker to guess generated passwords. The issue is addressed in v1.0.5; upgrade to that version. No public workaround...

7.5CVSS6.4AI score0.00791EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2022/12/06 12:0 a.m.45 views

Passeo 安全特征问题漏洞

Passeo is a Python password generator by the individual developer Arjun Sharda. A security signature issue vulnerability exists in versions of Passeo prior to 1.0.5 that stems from a reliance on the python random library for random value selection, which relies on a non-cryptographically secure...

7.5CVSS7.2AI score0.00791EPSS
Exploits0References4
Gentoo Linux
Gentoo Linux
added 2022/10/31 12:0 a.m.34 views

Apptainer: Lack of Digital Signature Hash Verification

Background Apptainer is the container system for secure high-performance computing. Description The Go module "sif" version 2.8.0 and older, which is a statically linked dependency of Apptainer, does not verify that the hash algorithms used are cryptographically secure when verifying digital...

9.8CVSS1.3AI score0.00477EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2022/10/06 7:54 p.m.54 views

SIF's Digital Signature Hash Algorithms Not Validated

Impact The github.com/sylabs/sif/v2/pkg/integrity package does not verify that the hash algorithms used are cryptographically secure when verifying digital signatures. Patches A patch is available in version = v2.8.1 of the module. Users are encouraged to upgrade. The patch is commit...

9.8CVSS7.6AI score0.00477EPSS
Exploits0References9Affected Software1
OSV
OSV
added 2022/10/06 6:16 p.m.1 views

UBUNTU-CVE-2022-39237

syslabs/sif is the Singularity Image Format SIF reference implementation. In versions prior to 2.8.1the github.com/sylabs/sif/v2/pkg/integrity package did not verify that the hash algorithms used are cryptographically secure when verifying digital signatures. A patch is available in version =...

9.8CVSS6.4AI score0.00477EPSS
Exploits0References6
AlpineLinux
AlpineLinux
added 2022/10/06 12:0 a.m.25 views

CVE-2022-39237

syslabs/sif is the Singularity Image Format SIF reference implementation. In versions prior to 2.8.1the github.com/sylabs/sif/v2/pkg/integrity package did not verify that the hash algorithms used are cryptographically secure when verifying digital signatures. A patch is available in version =...

9.8CVSS7.9AI score0.00477EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2022/06/01 7:50 p.m.59 views

Weak private key generation in SSH.NET

During an X25519 key exchange, the client’s private is generated with System.Random: cs var rnd = new Random; privateKey = new byteMontgomeryCurve25519.PrivateKeySizeInBytes; rnd.NextBytesprivateKey; Source: KeyExchangeECCurve25519.cs Source commit:...

6.5CVSS5.7AI score0.01384EPSS
Exploits1References7Affected Software1
NVD
NVD
added 2022/05/16 6:15 a.m.11 views

CVE-2022-30782

Openmoney API through 2020-06-29 uses the JavaScript Math.random function, which does not provide cryptographically secure random numbers...

7.5CVSS0.00968EPSS
Exploits0References2
Cvelist
Cvelist
added 2022/05/16 5:25 a.m.26 views

CVE-2022-30782

Openmoney API through 2020-06-29 uses the JavaScript Math.random function, which does not provide cryptographically secure random numbers...

7.8AI score0.00968EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2021/10/13 12:0 a.m.36 views

Simple JWT Login < 3.3.0 - Insecure Password Creation

The plugin can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the strshuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation...

7.5CVSS1.2AI score0.01186EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2021/08/25 8:50 p.m.26 views

GHSA-M9M5-CG5H-R582 Improper random number generation in nanorand

In versions of nanorand prior to 0.5.1, RandomGen implementations for standard unsigned integers could fail to properly generate numbers, due to using bit-shifting to truncate a 64-bit number, rather than just an as conversion. This often manifested as RNGs returning nothing but 0, including the...

5.1CVSS9.4AI score0.01515EPSS
Exploits0References5
OSV
OSV
added 2021/04/06 5:22 p.m.16 views

GHSA-W3HJ-WR2Q-X83G Discovery uses the same AES/GCM Nonce throughout the session

Discovery uses the same AES/GCM Nonce throughout the session though it should be generated on per message basis which can lead to the leaking of the session key. As the actual ENR record is signed with a different key it is not possible for an attacker to alter the ENR record. Note that the node...

5.3CVSS5.2AI score0.00489EPSS
Exploits0References4
Rows per page
Query Builder