SYM_JAVA_0005 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of Insufficiently Random Values
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-330: Use of Insufficiently Random Values |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The code uses scala.util.Random to generate random values, which are predictable and not suitable for security-sensitive operations like tokens or passwords. Instead, a cryptographically secure random number generator should be used.
Impact
If predictable random values are used in things like CSRF tokens or password resets, attackers could guess or reproduce these values, leading to account takeover, unauthorized access, or compromise of sensitive data.