CVE-2021-3692
published 2021-08-10CVE-2021-3692: yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
PriorityP427medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
1.70%
74.3th percentile
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yiiframework | yii | >= 2.0.0 < 2.0.43 | 2.0.43 |
| yiisoft | yii2-dev | >= 0 < 2.0.43 | 2.0.43 |
| yiisoft | yiisoft_yii2 | unspecified – 2.0.42.1 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Use of Cryptographically Weak Pseudo-Random Number Generator in yiisoft/yii2-dev
osv·2021-09-01
CVE-2021-3692 [MEDIUM] Use of Cryptographically Weak Pseudo-Random Number Generator in yiisoft/yii2-dev
Use of Cryptographically Weak Pseudo-Random Number Generator in yiisoft/yii2-dev
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
GHSA
Use of Cryptographically Weak Pseudo-Random Number Generator in yiisoft/yii2-dev
ghsa·2021-09-01
CVE-2021-3692 [MEDIUM] CWE-330 Use of Cryptographically Weak Pseudo-Random Number Generator in yiisoft/yii2-dev
Use of Cryptographically Weak Pseudo-Random Number Generator in yiisoft/yii2-dev
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
mitre_cwe
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
When a non-cryptographic PRNG is used in a cryptographic context, it can expose the cryptography to certain types of attacks. Often a pseudo-random number generator (PRNG) is not designed for cryptography. Sometimes a mediocre source of randomness is sufficient or preferable for algorithms that use random numbers. Weak generators generally take less processing power and/or do not use the precious, finite, entropy sources on a system. While such PRNGs might have very useful features, these same features could be used to break the cryptography.
Modes of Introduction:
Phase: Arc
CWE
Use of Insufficiently Random Values
mitre_cwe
CWE-330 Use of Insufficiently Random Values
CWE-330: Use of Insufficiently Random Values
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Background: Computers are deterministic machines, and as such are unable to produce true randomness. Pseudo-Random Number Generators (PRNGs) approximate randomness algorithmically, starting with a seed from which subsequent values are calculated. There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Cryptographic PRNGs address this problem by generating output that is more difficult
CWE
Use of Predictable Algorithm in Random Number Generator
mitre_cwe
CWE-1241 Use of Predictable Algorithm in Random Number Generator
CWE-1241: Use of Predictable Algorithm in Random Number Generator
The device uses an algorithm that is predictable and generates a pseudo-random number.
Pseudo-random number generator algorithms are predictable because their registers have a finite number of possible states, which eventually lead to repeating patterns. As a result, pseudo-random number generators (PRNGs) can compromise their randomness or expose their internal state to various attacks, such as reverse engineering or tampering.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Note: In many cases, the design originally defines a cryptographically secure random number generator, but is then changed during implementation due to unforeseen constraints.
Common Consequences:
Scope: Confidentiality.
2021-08-10
Published