1305 matches found
CVE-2024-7315
The CVE-2024-7315 entry concerns the Migration, Backup, Staging WPvivid WordPress plugin (versions prior to 0.9.106). The root cause is insufficient randomness in the backup filename, which could be brute-forced to leak sensitive backup information. Impact: unauthenticated disclosure of sensitive...
Medium: c-ares
Issue Overview: Insufficient randomness in generation of DNS query IDs When /dev/urandom or RtlGenRandom are unavailable, c-ares uses rand to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand so will generate predictable output. Input from th...
Medium: c-ares
Issue Overview: Insufficient randomness in generation of DNS query IDs When /dev/urandom or RtlGenRandom are unavailable, c-ares uses rand to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand so will generate predictable output. Input from th...
PT-2024-38418 · Canonical +1 · Juju +1
Name of the Vulnerable Software and Affected Versions: juju versions prior to 2.9.51 juju versions prior to 3.1.10 juju versions prior to 3.3.7 juju versions prior to 3.4.6 juju versions prior to 3.5.4 Description: The JUJU CONTEXT ID is a predictable authentication secret. On a Juju machine or...
PT-2024-38261 · WordPress · Migration
Name of the Vulnerable Software and Affected Versions: Migration, Backup, Staging WordPress plugin versions prior to 0.9.106 Description: The issue concerns the insufficient randomness in filenames created during backup generation, which could be bruteforced by attackers to leak sensitive...
CVE-2024-47126
The goTenna Pro App does not use SecureRandom when generating passwords for sharing cryptographic keys. The random function in use makes it easier for attackers to brute force this password if the broadcasted encryption key is captured over RF. This only applies to the optional broadcast of an...
CVE-2024-45723
The goTenna Pro ATAK Plugin does not use SecureRandom when generating passwords for sharing cryptographic keys. The random function in use makes it easier for attackers to brute force this password if the broadcasted encryption key is captured over RF. This only applies to the optional broadcast ...
PT-2024-31741 · Gotenna · Gotenna Pro Atak Plugin
Name of the Vulnerable Software and Affected Versions: goTenna Pro ATAK Plugin affected versions not specified Description: The issue is related to the generation of passwords for sharing cryptographic keys, where the goTenna Pro ATAK Plugin does not utilize SecureRandom. Instead, it uses a rando...
Apache Linkis 加密问题漏洞
Apache Linkis is a middleware product from the Apache Foundation that establishes an efficient connection between upper-tier applications and the underlying data engine. An encryption issue vulnerability exists in Apache Linkis version 1.5.0 and prior versions, which stems from the use of Commons...
The vulnerability of the NTP synchronization protocol lies in the use of insufficiently random values, which allows a perpetrator to cause a service failure.
The vulnerability of the NTP synchronization protocol lies in the use of insufficiently random values. Exploiting this vulnerability allows a remote attacker to cause a service failure...
The vulnerability of the gnutls_rnd() function in the Samba networking software package, related to the use of insufficiently random values, allows a attacker to access confidential data.
The vulnerability of the gnutlsrnd function in the Samba networking software package is related to the use of insufficiently random values. Exploiting this vulnerability could allow an attacker to gain access to confidential data...
ALPINE-CVE-2024-45157
An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLSPSAHMACDRBGMDTYPE does not cause the PSA subsystem to use HMACDRBG: it uses HMACDRBG only when MBEDTLSPSACRYPTOEXTERNALRNG and...
UBUNTU-CVE-2024-45157
An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLSPSAHMACDRBGMDTYPE does not cause the PSA subsystem to use HMACDRBG: it uses HMACDRBG only when MBEDTLSPSACRYPTOEXTERNALRNG and...
UBUNTU-CVE-2024-44959
In the Linux kernel, the following vulnerability has been resolved: tracefs: Use generic inode RCU for synchronizing freeing With structure layout randomization enabled for 'struct inode' we need to avoid overlapping any of the RCU-used / initialized-only-once members, e.g. ilru or isblist to not...
kernel: x86/coco: Require seeding RNG with RDRAND on CoCo systems
CVE-2024-35875 addresses a security concern in the Linux kernel's handling of confidential computing CoCo environments. In these setups, the virtual machine VM host is untrusted and may attempt to compromise guest VMs. A critical component for maintaining security in such environments is a reliab...
CVE-2024-1544
CVE-2024-1544 describes a bias in the ECDSA nonce generation when k is obtained as r mod n, where a control-flow dependent reduction leaks MSB bias in k. The issue can enable lattice-reduction based reconstruction of k for certain curves (e.g., SECP160R1 with about 15 bits of bias). The connected...
CVE-2024-1544
Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor qe by dividing the upper two digits a digit having e....
wolfSSL 安全漏洞
wolfSSL CyaSSL is the United States wolfSSL company for embedded systems developers to use a small, portable embedded SSL programming library. A security vulnerability exists in wolfSSL prior to version 5.7.2, which stems from the use of insufficiently randomized random numbers when generating...
PT-2024-29780 · Fiware · Fiware Keyrock
Name of the Vulnerable Software and Affected Versions: FIWARE Keyrock versions = 8.4 Description: The issue is related to insufficiently random values for generating password reset tokens, allowing attackers to take over the account of any user by predicting the token for the password reset link...
FIWARE Keyrock 安全漏洞
FIWARE Keyrock is a FIWARE open source component responsible for identity management. A cryptographic vulnerability exists in FIWARE Keyrock 8.4 and prior versions, which arises from a predictable random value for user-created activation tokens that can be exploited by an attacker to predict...