CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Monthly
Insecure PRNG fallback in Crypt::ScryptKDF for Perl (versions through 0.010) exposes applications to cryptographically weak random byte generation when none of five recognized CSPRNG modules are installed. The `random_bytes` function silently degrades to Perl's built-in `rand()`, which is not a cryptographically secure source, potentially weakening scrypt-derived salts or keys in password hashing and key derivation workflows. No public exploit is identified and EPSS is 0.02% (4th percentile), but the cryptographic impact in minimally-configured Perl environments could be severe, as predictable salts dramatically reduce the cost of offline attacks against derived key material.
Predictable salt generation in the Perl module Crypt::SaltedHash through version 0.09 weakens password hash storage by deriving salts from Perl's non-cryptographic rand() function. Attackers who obtain a salted hash database can predict or precompute salts, dramatically reducing the cost of offline brute-force or rainbow-table attacks against stored credentials. No public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.01%), but the upstream maintainer has released a fix in version 0.10 that switches to a system CSPRNG.
Amazon::Credentials for Perl versions through 1.2.0 uses the predictable built-in rand() function to generate 64-bit encryption keys for credential obfuscation, allowing attackers to recover stored credentials through key prediction rather than cryptographic attack. Affects Perl applications that depend on this library to protect AWS credentials and similar secrets in memory or serialized objects. No authentication required; exploitation requires access to the encrypted credential object and knowledge of the rand() seed.
Weak salt generation in Crypt::PasswdMD5 (Perl) through version 1.42 enables password hash cracking via predictable random values. The module uses Perl's built-in rand() function for salt generation instead of cryptographically secure random sources, allowing attackers to predict salt values and drastically reduce the computational cost of offline password cracking attacks. CVSS 7.5 (High) with network vector and no authentication required. SSVC assessment indicates the vulnerability is automatable with partial technical impact. EPSS and KEV data not provided, but the cryptographic weakness is architecturally exploitable wherever these password hashes are transmitted or stored in accessible locations.
Predictable token generation in RELATE courseware allows remote attackers to forge authentication and exam access tokens. The vulnerability affects two critical security functions: make_sign_in_key() in auth.py (user authentication) and gen_ticket_code() in exam.py (exam access control). Weak pseudorandom number generation (CWE-338) enables attackers with high complexity to bypass authentication mechanisms and gain unauthorized access to exams with potential for integrity and availability compromise across security boundaries (CVSS scope change). Patched in commit 2f68e16. EPSS data not available; no public exploit identified at time of analysis.
SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, reducing the seed space to approximately 19,000 possible values. An unauthenticated attacker can use the attachment download endpoint as an oracle to determine the seed in use and derive encryption keys and initialization vectors to forge sharing tokens for arbitrary emails, attachments, or file storage contents without prior access to the targeted content.
Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl's built-in rand function. The rand function is unsuitable for cryptographic use. These salts are used for password hashing.
Mbed TLS 3.x before 3.6.6, 4.x before 4.1.0, and TF-PSA-Crypto before 1.1.0 contain a predictable seed vulnerability in their pseudo-random number generator (PRNG) implementation that compromises the cryptographic strength of generated random values. Attackers with knowledge of the seed initialization mechanism can predict PRNG output, enabling them to forge cryptographic material, decrypt communications, or impersonate legitimate parties. No active exploitation has been confirmed, but the information disclosure nature of this vulnerability affects all applications relying on these libraries for cryptographic operations.
Weak pseudo-random number generation in Cloudreve enables JWT forgery and complete account takeover on instances initialized before v4.10.0. Attackers can brute-force the PRNG seed (achievable in under 3 hours on consumer hardware) by obtaining administrator creation timestamps via public APIs and validating against known hashids, then forge valid JWTs for any user including administrators. No public exploit confirmed at time of analysis, though detailed attack methodology is disclosed. CVSS 8.1 (High) reflects network-accessible privilege escalation despite high attack complexity requiring cryptographic brute-forcing.
PAGI::Middleware::Session::Store::Cookie through version 0.001003 generates cryptographically weak initialization vectors (IVs) for session cookie encryption by falling back to Perl's built-in rand() function when /dev/urandom is unavailable, particularly affecting Windows systems. This predictable IV generation enables attackers to decrypt and tamper with session data stored in cookies, compromising session confidentiality and integrity. No active exploitation has been confirmed, but the vulnerability affects all deployments on systems lacking /dev/urandom access.
Insecure PRNG fallback in Crypt::ScryptKDF for Perl (versions through 0.010) exposes applications to cryptographically weak random byte generation when none of five recognized CSPRNG modules are installed. The `random_bytes` function silently degrades to Perl's built-in `rand()`, which is not a cryptographically secure source, potentially weakening scrypt-derived salts or keys in password hashing and key derivation workflows. No public exploit is identified and EPSS is 0.02% (4th percentile), but the cryptographic impact in minimally-configured Perl environments could be severe, as predictable salts dramatically reduce the cost of offline attacks against derived key material.
Predictable salt generation in the Perl module Crypt::SaltedHash through version 0.09 weakens password hash storage by deriving salts from Perl's non-cryptographic rand() function. Attackers who obtain a salted hash database can predict or precompute salts, dramatically reducing the cost of offline brute-force or rainbow-table attacks against stored credentials. No public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.01%), but the upstream maintainer has released a fix in version 0.10 that switches to a system CSPRNG.
Amazon::Credentials for Perl versions through 1.2.0 uses the predictable built-in rand() function to generate 64-bit encryption keys for credential obfuscation, allowing attackers to recover stored credentials through key prediction rather than cryptographic attack. Affects Perl applications that depend on this library to protect AWS credentials and similar secrets in memory or serialized objects. No authentication required; exploitation requires access to the encrypted credential object and knowledge of the rand() seed.
Weak salt generation in Crypt::PasswdMD5 (Perl) through version 1.42 enables password hash cracking via predictable random values. The module uses Perl's built-in rand() function for salt generation instead of cryptographically secure random sources, allowing attackers to predict salt values and drastically reduce the computational cost of offline password cracking attacks. CVSS 7.5 (High) with network vector and no authentication required. SSVC assessment indicates the vulnerability is automatable with partial technical impact. EPSS and KEV data not provided, but the cryptographic weakness is architecturally exploitable wherever these password hashes are transmitted or stored in accessible locations.
Predictable token generation in RELATE courseware allows remote attackers to forge authentication and exam access tokens. The vulnerability affects two critical security functions: make_sign_in_key() in auth.py (user authentication) and gen_ticket_code() in exam.py (exam access control). Weak pseudorandom number generation (CWE-338) enables attackers with high complexity to bypass authentication mechanisms and gain unauthorized access to exams with potential for integrity and availability compromise across security boundaries (CVSS scope change). Patched in commit 2f68e16. EPSS data not available; no public exploit identified at time of analysis.
SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, reducing the seed space to approximately 19,000 possible values. An unauthenticated attacker can use the attachment download endpoint as an oracle to determine the seed in use and derive encryption keys and initialization vectors to forge sharing tokens for arbitrary emails, attachments, or file storage contents without prior access to the targeted content.
Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl's built-in rand function. The rand function is unsuitable for cryptographic use. These salts are used for password hashing.
Mbed TLS 3.x before 3.6.6, 4.x before 4.1.0, and TF-PSA-Crypto before 1.1.0 contain a predictable seed vulnerability in their pseudo-random number generator (PRNG) implementation that compromises the cryptographic strength of generated random values. Attackers with knowledge of the seed initialization mechanism can predict PRNG output, enabling them to forge cryptographic material, decrypt communications, or impersonate legitimate parties. No active exploitation has been confirmed, but the information disclosure nature of this vulnerability affects all applications relying on these libraries for cryptographic operations.
Weak pseudo-random number generation in Cloudreve enables JWT forgery and complete account takeover on instances initialized before v4.10.0. Attackers can brute-force the PRNG seed (achievable in under 3 hours on consumer hardware) by obtaining administrator creation timestamps via public APIs and validating against known hashids, then forge valid JWTs for any user including administrators. No public exploit confirmed at time of analysis, though detailed attack methodology is disclosed. CVSS 8.1 (High) reflects network-accessible privilege escalation despite high attack complexity requiring cryptographic brute-forcing.
PAGI::Middleware::Session::Store::Cookie through version 0.001003 generates cryptographically weak initialization vectors (IVs) for session cookie encryption by falling back to Perl's built-in rand() function when /dev/urandom is unavailable, particularly affecting Windows systems. This predictable IV generation enables attackers to decrypt and tamper with session data stored in cookies, compromising session confidentiality and integrity. No active exploitation has been confirmed, but the vulnerability affects all deployments on systems lacking /dev/urandom access.