Total
69 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-17877 | 1 Greedy599 | 1 Greedy 599 | 2018-12-07 | 5.0 MEDIUM | 7.5 HIGH |
| A lottery smart contract implementation for Greedy 599, an Ethereum gambling game, generates a random value that is predictable via an external contract call. The developer used the extcodesize() function to prevent a malicious contract from being called, but the attacker can bypass it by writing the core code in the constructor of their exploit code. Therefore, it allows attackers to always win and get rewards. | |||||
| CVE-2018-16115 | 1 Lightbend | 1 Akka | 2018-11-08 | 6.4 MEDIUM | 9.1 CRITICAL |
| Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modification because of an RNG error. A random number generator is used in Akka Remoting for TLS (both classic and Artery Remoting). Akka allows configuration of custom random number generators. For historical reasons, Akka included the AES128CounterSecureRNG and AES256CounterSecureRNG random number generators. The implementations had a bug that caused the generated numbers to be repeated after only a few bytes. The custom RNG implementations were not configured by default but examples in the documentation showed (and therefore implicitly recommended) using the custom ones. This can be used by an attacker to compromise the communication if these random number generators are enabled in configuration. It would be possible to eavesdrop, replay, or modify the messages sent with Akka Remoting/Cluster. | |||||
| CVE-2018-12885 | 1 Mycryptochamp | 1 Mycryptochamp | 2018-10-18 | 4.3 MEDIUM | 5.9 MEDIUM |
| The randMod() function of the smart contract implementation for MyCryptoChamp, an Ethereum game, generates a random value with publicly readable variables such as the current block information and a private variable, (which can be read with a getStorageAt call). Therefore, attackers can get powerful champs/items and get rewards. | |||||
| CVE-2018-14715 | 1 Cryptogs | 1 Cryptogs | 2018-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| The endCoinFlip function and throwSlammer function of the smart contract implementations for Cryptogs, an Ethereum game, generate random numbers with an old block's hash. Therefore, attackers can predict the random number and always win the game. | |||||
| CVE-2018-12454 | 1 1000guess | 1 1000 Guess | 2018-08-14 | 5.0 MEDIUM | 7.5 HIGH |
| The _addguess function of a simplelottery smart contract implementation for 1000 Guess, an Ethereum gambling game, generates a random value with publicly readable variables such as the current block information and a private variable (which can be read with a getStorageAt call). Therefore, it allows attackers to always win and get rewards. | |||||
| CVE-2017-9230 | 1 Bitcoin | 1 Bitcoin | 2018-06-13 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** The Bitcoin Proof-of-Work algorithm does not consider a certain attack methodology related to 80-byte block headers with a variety of initial 64-byte chunks followed by the same 16-byte chunk, multiple candidate root values ending with the same 4 bytes, and calculations involving sqrt numbers. This violates the security assumptions of (1) the choice of input, outside of the dedicated nonce area, fed into the Proof-of-Work function should not change its difficulty to evaluate and (2) every Proof-of-Work function execution should be independent. NOTE: a number of persons feel that this methodology is a benign mining optimization, not a vulnerability. | |||||
| CVE-2017-11671 | 1 Gnu | 1 Gcc | 2018-04-11 | 2.1 LOW | 4.0 MEDIUM |
| Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation. | |||||
| CVE-2017-17845 | 2 Debian, Enigmail | 2 Debian Linux, Enigmail | 2018-02-03 | 7.5 HIGH | 7.3 HIGH |
| An issue was discovered in Enigmail before 1.9.9. Improper Random Secret Generation occurs because Math.Random() is used by pretty Easy privacy (pEp), aka TBE-01-001. | |||||
| CVE-2017-18021 | 1 Qtpass | 1 Qtpass | 2018-01-18 | 5.0 MEDIUM | 9.8 CRITICAL |
| It was discovered that QtPass before 1.2.1, when using the built-in password generator, generates possibly predictable and enumerable passwords. This only applies to the QtPass GUI. | |||||