CVEbaza.plSłownik CWECWE-341
Common Weakness Enumeration

CWE-341

Predictable from Observable State

Kategoria: BaseCVE: 14
Opis

Liczba lub obiekt jest przewidywalny na podstawie obserwacji, które atakujący może dokonać na temat stanu systemu lub sieci, takich jak czas, identyfikator procesu itp. Słabość ta pozwala atakującemu na przewidzenie wartości, które powinny być losowe lub trudne do odgadnięcia.

Description (EN)

A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.

Podatności CVE z CWE-341 (14)
9.8
CVSS
CRITICAL
CVE-2019-6563

Moxa IKS and EDS generate a predictable cookie calculated with an MD5 hash, allowing an attacker to capture the administrator's password, which could lead to a full compromise of the device.

pub. 2019-03-05
9.1
CVSS
CRITICAL
CVE-2026-5081

Moduł Apache::Session::Generate::ModUniqueId w wersjach od 1.54 do 1.94 generuje identyfikatory sesji Perl w sposób kryptograficznie niepewny, opierając się na przewidywalnych danych. Atakujący może odgadnąć lub odtworzyć identyfikatory sesji innych użytkowników, co prowadzi do przejęcia ich sesji.

pub. 2026-05-06
9.1
CVSS
CRITICAL
CVE-2020-1731

A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace.

pub. 2020-03-02
8.6
CVSS
HIGH
CVE-2026-42365

A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.

pub. 2026-05-04
8.6
CVSS
HIGH
CVE-2025-40780

In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

pub. 2025-10-22
7.5
CVSS
HIGH
CVE-2026-40164

jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.

pub. 2026-04-14
7.5
CVSS
HIGH
CVE-2023-49259

The authentication cookies are generated using an algorithm based on the username, hardcoded secret and the up-time, and can be guessed in a reasonable time.

pub. 2024-01-12
7.3
CVSS
HIGH
CVE-2026-36609

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 uses a static authentication nonce that does not change between requests from the same source IP. Combined with the predictable XOR-based password encoding (securityEncode function), this allows an attacker to reverse captured authentication tokens to recover the plaintext password.

pub. 2026-06-03
6.3
CVSS
MEDIUM
CVE-2024-10141

A vulnerability, which was classified as problematic, was found in jsbroks COCO Annotator 0.11.1. This affects an unknown part of the component Session Handler. The manipulation of the argument SECRET_KEY leads to predictable from observable state. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.

pub. 2024-10-19
5.3
CVSS
MEDIUM
CVE-2020-5365

Dell EMC Isilon versions 8.2.2 and earlier contain a remotesupport vulnerability. The pre-configured support account, remotesupport, is bundled in the Dell EMC Isilon OneFS installation. This account is used for diagnostics and other support functions. Although the default password is different for every cluster, it is predictable.

pub. 2020-05-20
5.3
CVSS
MEDIUM
CVE-2018-17917

All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server may allow an attacker to use MAC addresses to enumerate potential Cloud IDs. Using this ID, the attacker can discover and connect to valid devices using one of the supported apps.

pub. 2018-10-10
5.0
CVSS
MEDIUM
CVE-2025-48461

Successful exploitation of the vulnerability could allow an unauthenticated attacker to conduct brute force guessing and account takeover as the session cookies are predictable, potentially allowing the attackers to gain root, admin or user access and reset passwords.

pub. 2025-06-24
4.3
CVSS
MEDIUM
CVE-2025-42925

Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a brute force search. By leveraging knowledge of several identifiers generated close to the same time, the attacker could determine a desired identifier which could enable them to access limited system information. This poses a low risk to confidentiality without impacting the integrity or availability of the service.

pub. 2025-09-09
2.6
CVSS
LOW
CVE-2021-4277

A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability.

pub. 2022-12-25
Informacje
ID: CWE-341
Typ: Base
Podatności: 14
MITRE CWE ↗
← Słownik CWE
CWE-341 — Przewidywalność na podstawie obserwowalnego stanu | Słownik CWE | CVEbaza.pl