Total
63 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-33756 | 1 Broadcom | 1 Ca Automic Automation | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
CA Automic Automation 12.2 and 12.3 contain an entropy weakness vulnerability in the Automic AutomationEngine that could allow a remote attacker to potentially access sensitive data. | |||||
CVE-2022-31034 | 1 Linuxfoundation | 1 Argo-cd | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact potentially granting an attacker admin access to Argo CD. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no known workarounds for this vulnerability. | |||||
CVE-2021-36320 | 1 Dell | 18 X1008, X1008 Firmware, X1008p and 15 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially hijack a session and access the webserver by forging the session ID. | |||||
CVE-2021-42138 | 1 Thalesgroup | 1 Safenet Windows Logon Agent | 2023-12-10 | 3.5 LOW | 6.5 MEDIUM |
A user of a machine protected by SafeNet Agent for Windows Logon may leverage weak entropy to access the encrypted credentials of any or all the users on that machine. | |||||
CVE-2021-22799 | 1 Schneider-electric | 1 Software Update | 2023-12-10 | 2.1 LOW | 3.8 LOW |
A CWE-331: Insufficient Entropy vulnerability exists that could cause unintended connection from an internal network to an external network when an attacker manages to decrypt the SESU proxy password from the registry. Affected Product: Schneider Electric Software Update, V2.3.0 through V2.5.1 | |||||
CVE-2021-22727 | 1 Schneider-electric | 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
A CWE-331: Insufficient Entropy vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to gain unauthorized access to the charging station web server | |||||
CVE-2021-31797 | 1 Cyberark | 1 Credential Provider | 2023-12-10 | 1.9 LOW | 5.1 MEDIUM |
The user identification mechanism used by CyberArk Credential Provider prior to 12.1 is susceptible to a local host race condition, leading to password disclosure. | |||||
CVE-2021-3505 | 3 Fedoraproject, Libtpms Project, Redhat | 3 Fedora, Libtpms, Enterprise Linux | 2023-12-10 | 2.1 LOW | 5.5 MEDIUM |
A flaw was found in libtpms in versions before 0.8.0. The TPM 2 implementation returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check. The highest threat from this vulnerability is to data confidentiality. | |||||
CVE-2021-33027 | 1 Sylabs | 1 Singularity | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Sylabs Singularity Enterprise through 1.6.2 has Insufficient Entropy in a nonce. | |||||
CVE-2021-31798 | 1 Cyberark | 1 Credential Provider | 2023-12-10 | 1.9 LOW | 4.4 MEDIUM |
The effective key space used to encrypt the cache in CyberArk Credential Provider prior to 12.1 has low entropy, and under certain conditions a local malicious user can obtain the plaintext of cache files. | |||||
CVE-2020-25926 | 1 Hcc-embedded | 1 Nichestack Tcp\/ip | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The DNS client in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Insufficient entropy in the DNS transaction id. The impact is: DNS cache poisoning (remote). The component is: dns_query_type(). The attack vector is: a specific DNS response packet. | |||||
CVE-2021-29471 | 2 Fedoraproject, Matrix | 2 Fedora, Synapse | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match`, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events. The issue is patched in version 1.33.2. A potential workaround might be to prevent users from making custom push rules, by blocking such requests at a reverse-proxy. | |||||
CVE-2020-28924 | 2 Fedoraproject, Rclone | 2 Fedora, Rclone | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed. | |||||
CVE-2020-11957 | 1 Cypress | 1 Psoc 4.2 Ble | 2023-12-10 | 5.4 MEDIUM | 7.5 HIGH |
The Bluetooth Low Energy implementation in Cypress PSoC Creator BLE 4.2 component versions before 3.64 generates a random number (Pairing Random) with significantly less entropy than the specified 128 bits during BLE pairing. This is the case for both authenticated and unauthenticated pairing with both LE Secure Connections as well as LE Legacy Pairing. A predictable or brute-forceable random number allows an attacker (in radio range) to perform a MITM attack during BLE pairing. | |||||
CVE-2020-10285 | 1 Ufactory | 2 Xarm 5 Lite, Xarm 5 Lite Firmware | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access. | |||||
CVE-2020-12735 | 1 Domainmod | 1 Domainmod | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
reset.php in DomainMOD 4.13.0 uses insufficient entropy for password reset requests, leading to account takeover. | |||||
CVE-2017-18883 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data. | |||||
CVE-2020-1773 | 1 Otrs | 1 Otrs | 2023-12-10 | 5.5 MEDIUM | 8.1 HIGH |
An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions. | |||||
CVE-2019-10064 | 2 Debian, W1.fi | 2 Debian Linux, Hostapd | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743. | |||||
CVE-2019-15703 | 1 Fortinet | 1 Fortios | 2023-12-10 | 2.6 LOW | 7.5 HIGH |
An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only. |