Total
75 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-2858 | 3 Canonical, Debian, Qemu | 3 Ubuntu Linux, Debian Linux, Qemu | 2023-02-12 | 1.9 LOW | 6.5 MEDIUM |
| QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption. | |||||
| CVE-2020-29505 | 2 Dell, Oracle | 3 Bsafe Crypto-c-micro-edition, Bsafe Micro-edition-suite, Retail Customer Insights | 2022-10-28 | 5.0 MEDIUM | 7.5 HIGH |
| Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain a Key Management Error Vulnerability. | |||||
| CVE-2022-34746 | 1 Zyxel | 20 Gs1900-10hp, Gs1900-10hp Firmware, Gs1900-16 and 17 more | 2022-09-22 | N/A | 5.9 MEDIUM |
| An insufficient entropy vulnerability caused by the improper use of randomness sources with low entropy for RSA key pair generation was found in Zyxel GS1900 series firmware versions prior to V2.70. This vulnerability could allow an unauthenticated attacker to retrieve a private key by factoring the RSA modulus N in the certificate of the web administration interface. | |||||
| CVE-2022-33989 | 1 Dproxy-nexgen Project | 1 Dproxy-nexgen | 2022-08-18 | N/A | 5.3 MEDIUM |
| dproxy-nexgen (aka dproxy nexgen) uses a static UDP source port (selected randomly only at boot time) in upstream queries sent to DNS resolvers. This allows DNS cache poisoning because there is not enough entropy to prevent traffic injection attacks. | |||||
| CVE-2021-41615 | 1 Embedthis | 1 Goahead | 2022-08-12 | N/A | 9.8 CRITICAL |
| websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy because the nonce calculation relies on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP Digest Access Authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1). NOTE: 2.1.8 is a version from 2003; however, the affected websda.c code appears in multiple derivative works that may be used in 2021. Recent GoAhead software is unaffected. | |||||
| CVE-2021-31798 | 1 Cyberark | 1 Credential Provider | 2022-07-12 | 1.9 LOW | 4.4 MEDIUM |
| The effective key space used to encrypt the cache in CyberArk Credential Provider prior to 12.1 has low entropy, and under certain conditions a local malicious user can obtain the plaintext of cache files. | |||||
| CVE-2022-33756 | 1 Broadcom | 1 Ca Automic Automation | 2022-06-27 | 5.0 MEDIUM | 7.5 HIGH |
| CA Automic Automation 12.2 and 12.3 contain an entropy weakness vulnerability in the Automic AutomationEngine that could allow a remote attacker to potentially access sensitive data. | |||||
| CVE-2019-15703 | 1 Fortinet | 1 Fortios | 2022-03-31 | 2.6 LOW | 7.5 HIGH |
| An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only. | |||||
| CVE-2021-22799 | 1 Schneider-electric | 1 Software Update | 2022-02-03 | 2.1 LOW | 3.8 LOW |
| A CWE-331: Insufficient Entropy vulnerability exists that could cause unintended connection from an internal network to an external network when an attacker manages to decrypt the SESU proxy password from the registry. Affected Product: Schneider Electric Software Update, V2.3.0 through V2.5.1 | |||||
| CVE-2017-6030 | 1 Schneider-electric | 6 Modicon M221, Modicon M221 Firmware, Modicon M241 and 3 more | 2022-02-03 | 6.4 MEDIUM | 6.5 MEDIUM |
| A Predictable Value Range from Previous Values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected products generate insufficiently random TCP initial sequence numbers that may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections. | |||||
| CVE-2021-42138 | 1 Thalesgroup | 1 Safenet Windows Logon Agent | 2022-01-03 | 3.5 LOW | 6.5 MEDIUM |
| A user of a machine protected by SafeNet Agent for Windows Logon may leverage weak entropy to access the encrypted credentials of any or all the users on that machine. | |||||
| CVE-2019-10064 | 2 Debian, W1.fi | 2 Debian Linux, Hostapd | 2022-01-01 | 5.0 MEDIUM | 7.5 HIGH |
| hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743. | |||||
| CVE-2020-10285 | 1 Ufactory | 2 Xarm 5 Lite, Xarm 5 Lite Firmware | 2021-12-21 | 7.5 HIGH | 9.8 CRITICAL |
| The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access. | |||||
| CVE-2021-36320 | 1 Dell | 18 X1008, X1008 Firmware, X1008p and 15 more | 2021-11-23 | 7.5 HIGH | 9.8 CRITICAL |
| Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially hijack a session and access the webserver by forging the session ID. | |||||
| CVE-2014-8422 | 2 Atos, Unify | 8 Openscape Desk Phone Ip 35g, Openscape Desk Phone Ip 35g Eco, Openscape Desk Phone Ip 55g and 5 more | 2021-09-09 | 6.8 MEDIUM | 8.1 HIGH |
| The web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 generates session cookies with insufficient entropy, which makes it easier for remote attackers to hijack sessions via a brute-force attack. | |||||
| CVE-2020-25926 | 1 Hcc-embedded | 1 Nichestack Tcp\/ip | 2021-08-26 | 5.0 MEDIUM | 7.5 HIGH |
| The DNS client in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Insufficient entropy in the DNS transaction id. The impact is: DNS cache poisoning (remote). The component is: dns_query_type(). The attack vector is: a specific DNS response packet. | |||||
| CVE-2021-33027 | 1 Sylabs | 1 Singularity | 2021-07-28 | 7.5 HIGH | 9.8 CRITICAL |
| Sylabs Singularity Enterprise through 1.6.2 has Insufficient Entropy in a nonce. | |||||
| CVE-2021-22727 | 1 Schneider-electric | 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more | 2021-07-28 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-331: Insufficient Entropy vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to gain unauthorized access to the charging station web server | |||||
| CVE-2019-14317 | 1 Wolfssl | 1 Wolfssl | 2021-07-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| wolfSSL and wolfCrypt 4.1.0 and earlier (formerly known as CyaSSL) generate biased DSA nonces. This allows a remote attacker to compute the long term private key from several hundred DSA signatures via a lattice attack. The issue occurs because dsa.c fixes two bits of the generated nonces. | |||||
| CVE-2020-1773 | 1 Otrs | 1 Otrs | 2020-09-23 | 5.5 MEDIUM | 8.1 HIGH |
| An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions. | |||||