Vulnerabilities > Insufficient Entropy

DATE CVE VULNERABILITY TITLE RISK
2018-04-12 CVE-2014-8422 Insufficient Entropy vulnerability in Unify Openscape Desk Phone IP SIP and Openstage SIP
The web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 generates session cookies with insufficient entropy, which makes it easier for remote attackers to hijack sessions via a brute-force attack.
network
high complexity
unify CWE-331
8.1
2017-10-24 CVE-2014-0691 Insufficient Entropy vulnerability in Cisco Webex Meetings Server 1.0
Cisco WebEx Meetings Server before 1.1 uses meeting IDs with insufficient entropy, which makes it easier for remote attackers to bypass authentication and join arbitrary meetings without a password, aka Bug ID CSCuc79643.
network
low complexity
cisco CWE-331
7.3
2017-10-05 CVE-2017-13992 Insufficient Entropy vulnerability in Loytec Lvis-3Me Firmware 6.1.1
An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0.
network
high complexity
loytec CWE-331
8.1
2017-08-09 CVE-2015-7764 Insufficient Entropy vulnerability in Netflix Lemur 0.1.4
Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode.
network
low complexity
netflix CWE-331
7.5
2017-08-09 CVE-2015-3405 Insufficient Entropy vulnerability in multiple products
ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys.
7.5
2017-06-30 CVE-2017-6030 Insufficient Entropy vulnerability in Schneider-Electric products
A Predictable Value Range from Previous Values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11.
network
low complexity
schneider-electric CWE-331
6.5
2017-06-22 CVE-2017-0897 Insufficient Entropy vulnerability in Expressionengine
ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy.
network
low complexity
expressionengine CWE-331
7.5
2017-04-23 CVE-2016-2564 Insufficient Entropy vulnerability in Invisioncommunity Invision Power Board
Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag.
network
high complexity
invisioncommunity CWE-331
5.9
2016-04-07 CVE-2016-2858 Insufficient Entropy vulnerability in multiple products
QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption.
local
low complexity
qemu canonical debian CWE-331
6.5
2008-07-08 CVE-2008-1447 Insufficient Entropy vulnerability in ISC Bind 4/8/9.2.9
The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."
network
high complexity
isc CWE-331
6.8