Category: Random Number Issues
Draft
Summary
Weaknesses in this category are related to a software system's random number generation.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1241 | Use of Predictable Algorithm in Random Number Generator | This vulnerability occurs when a device or application relies on a predictable algorithm to generate pseudo-random numbers, making the output sequence foreseeable. |
| CWE-331 | Insufficient Entropy | This vulnerability occurs when a system's random number generator or algorithm lacks sufficient unpredictability, creating patterns or predictable outputs that are easier for attackers to guess. |
| CWE-334 | Small Space of Random Values | This vulnerability occurs when a system uses a random number generator that produces too few possible values. Attackers can easily predict or guess these values through brute force attacks. |
| CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) is used, but its initial seed value is not handled securely or predictably, compromising the randomness of its output. |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when software uses a pseudo-random number generator (PRNG) that is not cryptographically strong for security-sensitive operations, such as generating keys, tokens, or initialization vectors. |
| CWE-341 | Predictable from Observable State | This vulnerability occurs when an attacker can guess or deduce sensitive values, like random numbers or identifiers, by observing predictable system or network characteristics such as timestamps, process IDs, or other public information. |
| CWE-342 | Predictable Exact Value from Previous Values | This vulnerability occurs when a system uses a predictable sequence for generating values, allowing an attacker to accurately guess future numbers by analyzing past ones. |
| CWE-343 | Predictable Value Range from Previous Values | This vulnerability occurs when a system's random number generator produces values that, after observing previous outputs, allow an attacker to predict a limited range for the next value. |
| CWE-344 | Use of Invariant Value in Dynamically Changing Context | This vulnerability occurs when code uses a fixed, unchanging value (like a hardcoded string, number, or reference) in a situation where that value should actually be flexible and adapt to different runtime conditions or environments. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.