CWE-330—Use of Insufficiently Random Values
PUBLISHEDweakness recordHigh
released 2006-07-19 · last modified 2026-04-30
Metadata
- CWE ID:
- CWE-330
- 摘要:
- Class
- 结构:
- Simple
- 状态:
- Stable
- 发布日期:
- 2006-07-19
- 更新日期:
- 2026-04-30
名称
Use of Insufficiently Random Values
描述
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
常见后果
- 范围:
- Confidentiality, Other
- 影响:
- Other
- 注释:
- When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key.
- 范围:
- Access Control, Other
- 影响:
- Bypass Protection Mechanism, Other
- 注释:
- If product relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the resource to the intended user. For example, a product might maintain session information in a file whose name is based on a username. An attacker could pre-create this file for a victim user, then set the permissions so that the application cannot generate the session for the victim, preventing the victim from using the application.
- 范围:
- Access Control
- 影响:
- Bypass Protection Mechanism, Gain Privileges or Assume Identity
- 注释:
- When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key.