CVE-2023-31147

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom are unavailable, c-ares uses rand to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand so will generate predictable output. Input from the random number generator i...

Design/Logic Flaw

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom are unavailable, c-ares uses rand to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand so will generate predictable output. Input from the random number generator i...

CVE-2023-31147 Insufficient randomness in generation of DNS query IDs in c-ares

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom are unavailable, c-ares uses rand to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand so will generate predictable output. Input from the random number generator i...

CVE-2023-31147 Insufficient randomness in generation of DNS query IDs in c-ares

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom are unavailable, c-ares uses rand to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand so will generate predictable output. Input from the random number generator i...

CVE-2023-31147

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom are unavailable, c-ares uses rand to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand so will generate predictable output. Input from the random number generator i...

c-ares 安全特征问题漏洞

c-ares is a C library for asynchronous DNS requests from the individual developers of c-ares. A security vulnerability exists in c-ares versions prior to 1.19.1, which stems from generating predictable output...

GO-2023-1765 Leaked shared secret and weak blinding in github.com/cloudflare/circl

When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read returns an error. In rare deployment cases error thrown by the Read function, this could lead to a predictable shared secret. The tkn20 and blindrsa components did not...

CVE-2023-31147

A vulnerability was found in c-ares. This issue occurs when /dev/urandom or RtlGenRandom are unavailable, c-ares will use rand to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand, so it will generate predictable output...

Oracle Linux 8 : samba (ELSA-2023-2987)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-2987 advisory. - In Samba, GnuTLS gnutlsrnd can fail and give predictable random values. CVE-2022-1615 Note that Nessus has not tested for this issue but has instead relied on...

Low: Red Hat Security Advisory: samba security, bug fix, and enhancement update

An update for evolution-mapi, openchange, and samba is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

Ubuntu 18.04 ESM : Synapse vulnerabilities (USN-6076-1)

The remote Ubuntu 18.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6076-1 advisory. It was discovered that Synapse incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input...

Insecure Randomness

github.com/cloudflare/circl is vulnerable to Insecure Randomness. Kyber and FrodoKEM did not check whether crypto/rand.Read returned an error, leading to a predictable shared secret. The tkn20 and blindrsa components did not check if enough randomness was returned from the user provided randomnes...

SUSE CVE-2023-31442

In Lightbend Akka before 2.8.1, the async-dns resolver used by Discovery in DNS mode and transitively by Cluster Bootstrap uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not...

PT-2023-20766 · Unknown · Rosariosis

Name of the Vulnerable Software and Affected Versions: RosarioSIS versions prior to 11.0 Description: The issue allows unauthorized access to sensitive data due to a lack of access control in a mechanism. Specifically, it enables anyone to download and view file attachments under the salaries...

CVE-2023-31442

In Lightbend Akka before 2.8.1, the async-dns resolver used by Discovery in DNS mode and transitively by Cluster Bootstrap uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not...

Design/Logic Flaw

In Lightbend Akka before 2.8.1, the async-dns resolver used by Discovery in DNS mode and transitively by Cluster Bootstrap uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not...

Design/Logic Flaw

When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read returns an error. In rare deployment cases error thrown by the Read function, this could lead to a predictable shared secret. The tkn20 and blindrsa components did not...

Amazon Fire TV Stick 安全特征问题漏洞

The Amazon Fire TV Stick is a television voice recognition remote control from Amazon.com, Inc. The Amazon Fire TV Stick suffers from a security signature issue vulnerability that stems from initializing random numbers to known values and incorrect JPAKE implementation that allows for brute force...

Bypass of CSRF protection in the presence of predictable userInfo

Description The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions. @fastify/csrf-protection supports an optional userInfo parameter that binds the CSRF token to the use...

SUSE CVE-2006-6969

Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possib...