CWE-330Use of Insufficiently Random Values

PUBLISHEDweakness recordHigh
released 2006-07-19 · last modified 2026-04-30
CWE-330 - Use of Insufficiently Random Values - Diagram

Metadata

CWE ID:
CWE-330
摘要:
Class
结构:
Simple
状态:
Stable
发布日期:
2006-07-19
更新日期:
2026-04-30

名称

Use of Insufficiently Random Values

描述

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

常见后果

范围:
Confidentiality, Other
影响:
Other
注释:
When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key.
范围:
Access Control, Other
影响:
Bypass Protection Mechanism, Other
注释:
If product relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the resource to the intended user. For example, a product might maintain session information in a file whose name is based on a username. An attacker could pre-create this file for a victim user, then set the permissions so that the application cannot generate the session for the victim, preventing the victim from using the application.
范围:
Access Control
影响:
Bypass Protection Mechanism, Gain Privileges or Assume Identity
注释:
When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key.

相关 CWE