CWE-330 380 個 CVE MITRE 定義 ↗

CWE-330:Use of Insufficiently Random Values

概覽

CWE-330(Use of Insufficiently Random Values)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

背景詳情

來自 CWE 目錄的擴展上下文(由 MITRE XHTML 渲染)。

Computers are deterministic machines, and as such are unable to produce true randomness. Pseudo-Random Number Generators (PRNGs) approximate randomness algorithmically, starting with a seed from which subsequent values are calculated. There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Cryptographic PRNGs address this problem by generating output that is more difficult to predict. For a value to be cryptographically secure, it must be impossible or highly improbable for an attacker to distinguish between it and a truly random value.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology Not Technology-Specific Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-46351 2026-07-16 BigBlueButton is an open-source virtual classroom. Prior to 3.0.21, bbb-web generated conference sessionToken values with insufficiently secure randomness in bbb-common-web/src/main/java/org/bigbluebu…
CVE-2026-47703 2026-07-15 AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.75, AdGuard Home's client-triggered DoQ forwarding path to a udp:// upstream reduced backend UDP DNS state by prod…
CVE-2026-14702 2026-07-05 A flaw has been found in zcaceres markdownify-mcp up to 1.1.0. This impacts the function saveToTempFile of the file src/Markdownify.ts of the component webpage-to-markdown/youtube-to-markdown/bing-sea…
CVE-2026-14570 2026-07-04 Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery. "Crypt::DSA::Util::makerandom forces the high bit …
CVE-2026-57082 2026-06-30 Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG. The MSE (Message Stream Encryption) handshake derives its 160-bit Diffie-Hel…
CVE-2026-11374 2026-06-23 In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, le…
CVE-2026-50009 2026-06-12 Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, Netty QUIC exposes the stateless reset token on the network path when using the…
CVE-2026-45673 2026-06-12 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating …
CVE-2026-41701 2026-06-09 Correlation IDs for replies in the RabbitTemplate.sendAndReceive() with the fixed reply queue are predictable due to internal simple counter. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0…
CVE-2026-41838 2026-06-09 IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versio…
CVE-2026-41207 2026-06-04 The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDF_expand returns non-NULL on failure. The byte[] is filled with zeros and has no way to disting…
CVE-2026-50208 2026-06-04 High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle (MITM) actor could decrypt network traffic.
CVE-2026-44054 2026-05-21 Netatalk 2.0.0 through 4.4.2 generates AFP session tokens derived from predictable process IDs, which allows a remote authenticated attacker to cause a denial of service by exploiting the reconnect me…
CVE-2026-42155 2026-05-15 Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pri…
CVE-2026-41505 2026-05-07 RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() functio…
CVE-2026-7847 2026-05-05 A vulnerability was found in chatchat-space Langchain-Chatchat up to 0.3.1.3. The affected element is the function _get_file_id of the file libs/chatchat-server/chatchat/server/api_server/openai_route…
CVE-2026-40975 2026-04-27 Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values wit…
CVE-2026-40496 2026-04-20 FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: `md5(APP_KEY + attachment_id + si…
CVE-2026-40306 2026-04-17 DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect…
CVE-2026-33710 2026-04-10 Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always ret…

曾用名

  • Randomness and Predictability (2008-04-11)

內容提交

名稱
PLOVER
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Background_Details, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2008-11-24 CWE Content Team 1.1 updated Relationships, Taxonomy_Mappings
2009-01-12 CWE Content Team 1.2 updated Description, Likelihood_of_Exploit, Other_Notes, Potential_Mitigations, Relationships
2009-03-10 CWE Content Team 1.3 updated Potential_Mitigations
2009-05-27 CWE Content Team 1.4 updated Demonstrative_Examples, Related_Attack_Patterns
2009-12-28 CWE Content Team 1.7 updated Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Potential_Mitigations, Time_of_Introduction
2010-02-16 CWE Content Team 1.8 updated References, Relationships, Taxonomy_Mappings
2010-04-05 CWE Content Team 1.8.1 updated Related_Attack_Patterns
2010-06-21 CWE Content Team 1.9 updated Detection_Factors, Potential_Mitigations
2011-03-29 CWE Content Team 1.12 updated Demonstrative_Examples
2011-06-01 CWE Content Team 1.13 updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-27 CWE Content Team 2.0 updated Relationships
2011-09-13 CWE Content Team 2.1 updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings
2012-05-11 CWE Content Team 2.2 updated Demonstrative_Examples, Observed_Examples, References, Relationships
2014-02-18 CWE Content Team 2.6 updated Related_Attack_Patterns
2014-06-23 CWE Content Team 2.7 updated Related_Attack_Patterns
2014-07-30 CWE Content Team 2.8 updated Detection_Factors
2015-12-07 CWE Content Team 2.9 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Functional_Areas, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
2018-03-27 CWE Content Team 3.1 updated References
2019-01-03 CWE Content Team 3.2 updated Relationships, Taxonomy_Mappings
2019-06-20 CWE Content Team 3.3 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Applicable_Platforms, Description, Relationships
2021-03-15 CWE Content Team 4.4 updated Maintenance_Notes, Relationships
2021-07-20 CWE Content Team 4.5 updated Demonstrative_Examples, Maintenance_Notes, Observed_Examples
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-10-13 CWE Content Team 4.9 updated Observed_Examples, Relationships
2023-01-31 CWE Content Team 4.10 updated Common_Consequences, Description
2023-04-27 CWE Content Team 4.11 updated References, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships
2023-10-26 CWE Content Team 4.13 updated Observed_Examples
2024-02-29 CWE Content Team 4.14 updated Mapping_Notes
2025-09-09 CWE Content Team 4.18 updated Description, Detection_Factors, Diagram, References
2025-12-11 CWE Content Team 4.19 updated Relationships
2026-04-30 CWE Content Team 4.20 updated Potential_Mitigations
cvelogic Threat Intelligence