CVE-2024-38270

CWE-3313 documents3 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 54.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zyxel Gs1900-10hp Firmware Zyxel Gs1900-16 Firmware Zyxel Gs1900-24ep Firmware +7 more

Timeline

PublishedSep 10

Description

An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0. This vulnerability could allow a LAN-based attacker a slight chance to gain a valid session token if multiple authenticated sessions are alive.

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages11 packages

▶NVDzyxel/gs1900-10hp_firmware< 2.80\(aazi.1\)c0

▶CVEListV5zyxel/gs1900-10hp_firmwareV2.80(AAZI.0)C0

▶NVDzyxel/gs1900-8_firmware< 2.80\(aahh.1\)c0

▶NVDzyxel/gs1900-16_firmware< 2.80\(aahj.1\)c0

▶NVDzyxel/gs1900-48_firmware< 2.80\(aahn.1\)c0

🔴Vulnerability Details

CVEList

CVE-2024-38270: An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation ex↗2024-09-10

▶

GHSA

GHSA-38vv-qgw3-86p8: An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation ex↗2024-09-10

▶