CWE-341
Predictable from Observable State
Description
A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Impact
Varies by Context
Potential Mitigations
Increase the entropy used to seed a PRNG.
Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.
CVE-2024-48445Chain: e-commerce app relies on an easily-guessable timestamp (CWE-341) in a weak authentication algorithm (CWE-1390)
CVE-2002-0389Mail server stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives.
CVE-2001-1141PRNG allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.
CVE-2000-0335DNS resolver library uses predictable IDs, which allows a local attacker to spoof DNS query results.
CVE-2005-1636MFV. predictable filename and insecure permissions allows file modification to execute SQL queries.
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now