BaseDraft

CWE-331Insufficient Entropy

Category: other

Description

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

Common consequences· 1

  • Access Control / Other — Bypass Protection Mechanism, Other
    An attacker could guess the random numbers generated and could gain unauthorized access to a system if the random numbers are used for authentication and authorization.

Potential mitigations· 1

  • [Implementation]Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.

Related CAPEC attack patterns· 1

CAPEC-59

References

  1. https://cwe.mitre.org/data/definitions/331.html

Exploits (incoming)1

TypeTargetConfidenceTier
AttackPatternSession Credential Falsification through Predictioncapec-59100%live

(incoming)9

TypeTargetConfidenceTier
VulnerabilityCVE-2025-13399cve-2025-133990%live
VulnerabilityCVE-2025-15387cve-2025-153870%live
VulnerabilityCVE-2025-1828cve-2025-18280%live
VulnerabilityCVE-2025-47781cve-2025-477810%live
VulnerabilityCVE-2025-52464cve-2025-524640%live
VulnerabilityCVE-2025-66565cve-2025-665650%live
VulnerabilityCVE-2025-67504cve-2025-675040%live
VulnerabilityCVE-2026-34236cve-2026-342360%live
VulnerabilityCVE-2026-7210cve-2026-72100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Use of Insufficiently Random Values
CWE
Generation of Predictable Numbers or Identifiers
CWE
Use of a Cryptographic Primitive with a Risky Implementation
CWE
Use of Weak Hash
CWE
Use of a Broken or Risky Cryptographic Algorithm
CWE
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.