Category: Comprehensive Categorization: Randomness
Incomplete
Summary
Weaknesses in this category are related to randomness.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1204 | Generation of Weak Initialization Vector (IV) | The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive. |
| CWE-1241 | Use of Predictable Algorithm in Random Number Generator | The device uses an algorithm that is predictable and generates a pseudo-random number. |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | Nonces should be used for the present occasion and only once. |
| CWE-329 | Generation of Predictable IV with CBC Mode | The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key. |
| CWE-330 | Use of Insufficiently Random Values | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| CWE-331 | Insufficient Entropy | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
| CWE-332 | Insufficient Entropy in PRNG | The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat. |
| CWE-333 | Improper Handling of Insufficient Entropy in TRNG | True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block. |
| CWE-334 | Small Space of Random Values | The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks. |
| CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) | The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds. |
| CWE-336 | Same Seed in Pseudo-Random Number Generator (PRNG) | A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized. |
| CWE-337 | Predictable Seed in Pseudo-Random Number Generator (PRNG) | A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
| CWE-339 | Small Seed Space in PRNG | A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks. |
| CWE-340 | Generation of Predictable Numbers or Identifiers | The product uses a scheme that generates numbers or identifiers that are more predictable than required. |
| CWE-341 | Predictable from Observable State | A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc. |
| CWE-342 | Predictable Exact Value from Previous Values | An exact value or random number can be precisely predicted by observing previous values. |
| CWE-343 | Predictable Value Range from Previous Values | The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated. |
| CWE-344 | Use of Invariant Value in Dynamically Changing Context | The product uses a constant value, name, or reference, but this value can (or should) vary across different environments. |
| CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length | The J2EE application is configured to use an insufficient session ID length. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.