CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.
常见后果
影响范围: Access Control Other
技术影响: Bypass Protection Mechanism Other
说明: If a PRNG is used incorrectly, such as using the same seed for each initialization or using a predictable seed, then an attacker may be able to easily guess the seed and thus the random numbers. This could lead to unauthorized access to a system if the seed is used for authentication and authorization.
观察示例
参考: CVE-2020-7010
Cloud application on Kubernetes generates passwords using a weak random number generator based on deployment time.
参考: CVE-2019-11495
server uses erlang:now() to seed the PRNG, which results in a small search space for potential random seeds
参考: CVE-2018-12520
Product's PRNG is not seeded for the generation of session IDs
参考: CVE-2016-10180
Router's PIN generation is based on rand(time(0)) seeding.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | PRNG Seed Error | - |