Total
75 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15847 | 2 Gnu, Opensuse | 2 Gcc, Leap | 2020-09-17 | 5.0 MEDIUM | 7.5 HIGH |
| The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same. | |||||
| CVE-2019-9555 | 1 Sagemcom | 2 F\@st 5260, F\@st 5260 Firmware | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| Sagemcom F@st 5260 routers using firmware version 0.4.39, in WPA mode, default to using a PSK that is generated from a 2-part wordlist of known values and a nonce with insufficient entropy. The number of possible PSKs is about 1.78 billion, which is too small. | |||||
| CVE-2017-18883 | 1 Mattermost | 1 Mattermost Server | 2020-07-02 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data. | |||||
| CVE-2020-11957 | 1 Cypress | 1 Psoc 4.2 Ble | 2020-06-22 | 5.4 MEDIUM | 7.5 HIGH |
| The Bluetooth Low Energy implementation in Cypress PSoC Creator BLE 4.2 component versions before 3.64 generates a random number (Pairing Random) with significantly less entropy than the specified 128 bits during BLE pairing. This is the case for both authenticated and unauthenticated pairing with both LE Secure Connections as well as LE Legacy Pairing. A predictable or brute-forceable random number allows an attacker (in radio range) to perform a MITM attack during BLE pairing. | |||||
| CVE-2020-12735 | 1 Domainmod | 1 Domainmod | 2020-05-12 | 7.5 HIGH | 9.8 CRITICAL |
| reset.php in DomainMOD 4.13.0 uses insufficient entropy for password reset requests, leading to account takeover. | |||||
| CVE-2008-1447 | 6 Canonical, Cisco, Debian and 3 more | 8 Ubuntu Linux, Ios, Debian Linux and 5 more | 2020-03-24 | 5.0 MEDIUM | 6.8 MEDIUM |
| The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." | |||||
| CVE-2015-3006 | 1 Juniper | 3 Junos, Qfx3500, Qfx3600 | 2020-03-10 | 6.8 MEDIUM | 6.5 MEDIUM |
| On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for some time, but immediately after boot, the entropy is very low. This issue only affects the QFX3500 and QFX3600 switches. No other Juniper Networks products or platforms are affected by this weak entropy vulnerability. | |||||
| CVE-2015-8851 | 1 Node-uuid Project | 1 Node-uuid | 2020-02-05 | 5.0 MEDIUM | 7.5 HIGH |
| node-uuid before 1.4.4 uses insufficiently random data to create a GUID, which could make it easier for attackers to have unspecified impact via brute force guessing. | |||||
| CVE-2015-7764 | 1 Netflix | 1 Lemur | 2019-12-11 | 5.0 MEDIUM | 7.5 HIGH |
| Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode. | |||||
| CVE-2013-2260 | 1 Cryptocat Project | 1 Cryptocat | 2019-11-06 | 5.0 MEDIUM | 9.8 CRITICAL |
| Cryptocat before 2.0.22: Cryptocat.random() Function Array Key has Entropy Weakness | |||||
| CVE-2017-13992 | 1 Loytec | 2 Lvis-3me, Lvis-3me Firmware | 2019-10-09 | 6.8 MEDIUM | 8.1 HIGH |
| An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not utilize sufficiently random number generation for the web interface authentication mechanism, which could allow remote code execution. | |||||
| CVE-2017-0897 | 1 Expressionengine | 1 Expressionengine | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution. | |||||
| CVE-2018-8435 | 1 Microsoft | 2 Windows 10, Windows Server 2016 | 2019-10-03 | 2.3 LOW | 4.2 MEDIUM |
| A security feature bypass vulnerability exists when Windows Hyper-V BIOS loader fails to provide a high-entropy source, aka "Windows Hyper-V Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. | |||||
| CVE-2018-10240 | 1 Solarwinds | 1 Serv-u | 2018-06-25 | 5.0 MEDIUM | 7.3 HIGH |
| SolarWinds Serv-U MFT before 15.1.6 HFv1 assigns authenticated users a low-entropy session token that can be included in requests to the application as a URL parameter in lieu of a session cookie. This session token's value can be brute-forced by an attacker to obtain the corresponding session cookie and hijack the user's session. | |||||
| CVE-2014-0691 | 1 Cisco | 1 Webex Meetings Server | 2017-11-14 | 5.0 MEDIUM | 7.3 HIGH |
| Cisco WebEx Meetings Server before 1.1 uses meeting IDs with insufficient entropy, which makes it easier for remote attackers to bypass authentication and join arbitrary meetings without a password, aka Bug ID CSCuc79643. | |||||