Total
117 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6508 | 1 Redhat | 1 Openshift | 2025-08-27 | 8 High |
| An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions. | ||||
| CVE-2025-54885 | 2025-08-07 | N/A | ||
| Thinbus Javascript Secure Remote Password is a browser SRP6a implementation for zero-knowledge password authentication. In versions 2.0.0 and below, a protocol compliance bug causes the client to generate a fixed 252 bits of entropy instead of the intended bit length of the safe prime (defaulted to 2048 bits). The client public value is being generated from a private value that is 4 bits below the specification. This reduces the protocol's designed security margin it is now practically exploitable. The servers full sized 2048 bit random number is used to create the shared session key and password proof. This is fixed in version 2.0.1. | ||||
| CVE-2025-6931 | 2 D-link, Dlink | 6 Dcs-6517, Dcs-7517, Dcs-6517 and 3 more | 2025-07-14 | 3.7 Low |
| A vulnerability classified as problematic was found in D-Link DCS-6517 and DCS-7517 up to 2.02.0. Affected by this vulnerability is the function generate_pass_from_mac of the file /bin/httpd of the component Root Password Generation Handler. The manipulation leads to insufficient entropy. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2012-4687 | 1 Postoaktraffic | 1 Awam Bluetooth Reader | 2025-07-09 | N/A |
| Post Oak AWAM Bluetooth Reader Traffic System does not use a sufficient source of entropy for private keys, which makes it easier for man-in-the-middle attackers to spoof a device by predicting a key value. | ||||
| CVE-2022-34746 | 1 Zyxel | 20 Gs1900-10hp, Gs1900-10hp Firmware, Gs1900-16 and 17 more | 2025-05-29 | 5.9 Medium |
| An insufficient entropy vulnerability caused by the improper use of randomness sources with low entropy for RSA key pair generation was found in Zyxel GS1900 series firmware versions prior to V2.70. This vulnerability could allow an unauthenticated attacker to retrieve a private key by factoring the RSA modulus N in the certificate of the web administration interface. | ||||
| CVE-2024-25407 | 1 Steve-community | 1 Steve | 2025-05-08 | 7.5 High |
| SteVe v3.6.0 was discovered to use predictable transaction ID's when receiving a StartTransaction request. This vulnerability can allow attackers to cause a Denial of Service (DoS) by using the predicted transaction ID's to terminate other transactions. | ||||
| CVE-2024-25730 | 1 Hitrontech | 4 Coda-4582u, Coda-4582u Firmware, Coda-4589 and 1 more | 2025-05-05 | 9.8 Critical |
| Hitron CODA-4582 and CODA-4589 devices have default PSKs that are generated from 5-digit hex values concatenated with a "Hitron" substring, resulting in insufficient entropy (only about one million possibilities). | ||||
| CVE-2022-31034 | 2 Argoproj, Redhat | 2 Argo Cd, Openshift Gitops | 2025-04-23 | 8.3 High |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact potentially granting an attacker admin access to Argo CD. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no known workarounds for this vulnerability. | ||||
| CVE-2014-0691 | 1 Cisco | 1 Webex Meetings Server | 2025-04-20 | N/A |
| Cisco WebEx Meetings Server before 1.1 uses meeting IDs with insufficient entropy, which makes it easier for remote attackers to bypass authentication and join arbitrary meetings without a password, aka Bug ID CSCuc79643. | ||||
| CVE-2015-7764 | 1 Netflix | 1 Lemur | 2025-04-20 | 7.5 High |
| Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode. | ||||
| CVE-2015-3405 | 7 Debian, Fedoraproject, Ntp and 4 more | 14 Debian Linux, Fedora, Ntp and 11 more | 2025-04-20 | N/A |
| ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys. | ||||
| CVE-2017-0897 | 1 Expressionengine | 1 Expressionengine | 2025-04-20 | N/A |
| ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution. | ||||
| CVE-2017-6030 | 1 Schneider-electric | 6 Modicon M221, Modicon M221 Firmware, Modicon M241 and 3 more | 2025-04-20 | 6.5 Medium |
| A Predictable Value Range from Previous Values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected products generate insufficiently random TCP initial sequence numbers that may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections. | ||||
| CVE-2016-2564 | 1 Invisioncommunity | 1 Invision Power Board | 2025-04-20 | N/A |
| Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation. | ||||
| CVE-2017-13992 | 1 Loytec | 2 Lvis-3me, Lvis-3me Firmware | 2025-04-20 | N/A |
| An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not utilize sufficiently random number generation for the web interface authentication mechanism, which could allow remote code execution. | ||||
| CVE-2021-4240 | 1 Phpservermonitor | 1 Php Server Monitor | 2025-04-15 | 2.6 Low |
| A vulnerability, which was classified as problematic, was found in phpservermon. This affects the function generatePasswordResetToken of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been disclosed to the public and may be used. The name of the patch is 3daa804d5f56c55b3ae13bfac368bb84ec632193. It is recommended to apply a patch to fix this issue. The identifier VDB-213717 was assigned to this vulnerability. | ||||
| CVE-2021-4241 | 1 Phpservermonitor | 1 Php Server Monitor | 2025-04-15 | 2.6 Low |
| A vulnerability, which was classified as problematic, was found in phpservermon. Affected is the function setUserLoggedIn of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been disclosed to the public and may be used. The name of the patch is bb10a5f3c68527c58073258cb12446782d223bc3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-213744. | ||||
| CVE-2016-2858 | 3 Canonical, Debian, Qemu | 3 Ubuntu Linux, Debian Linux, Qemu | 2025-04-12 | 6.5 Medium |
| QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption. | ||||
| CVE-2014-7284 | 1 Linux | 1 Linux Kernel | 2025-04-12 | N/A |
| The net_get_random_once implementation in net/core/utils.c in the Linux kernel 3.13.x and 3.14.x before 3.14.5 on certain Intel processors does not perform the intended slow-path operation to initialize random seeds, which makes it easier for remote attackers to spoof or disrupt IP communication by leveraging the predictability of TCP sequence numbers, TCP and UDP port numbers, and IP ID values. | ||||
| CVE-2016-5300 | 4 Canonical, Debian, Google and 1 more | 4 Ubuntu Linux, Debian Linux, Android and 1 more | 2025-04-12 | N/A |
| The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. | ||||