SYM_JAVA_0116 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of Insufficiently Random Values
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-330: Use of Insufficiently Random Values |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The code uses Math.random() or java.util.Random() for generating random values. These methods are not secure for tasks like creating passwords, tokens, or any sensitive data, as their output can be predicted.
Impact
If an attacker can predict the generated values, they may be able to guess session tokens, passwords, or other secrets, leading to unauthorized access or data breaches. This can compromise user accounts and the overall security of the application.