Early Access — Mondoo Vulnerability Intelligence is currently in preview.

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

Vulnerability Intelligence

CWE-340: Generation of Predictable Numbers or Identifiers | Mondoo Vulnerability Intelligence

CWE-340

ClassIncomplete

View on MITRE

Generation of Predictable Numbers or Identifiers

The product uses a scheme that generates numbers or identifiers that are more predictable than required.

21 linked vulnerabilities

2 related weaknesses

OtherVaries by Context

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Modes of Introduction

Architecture and DesignImplementation

Related Weaknesses

CWE-330ChildOf CWE-384CanPrecede

Example CVEs (3)

CVE-2022-29330

Product for administering PBX systems uses predictable identifiers and timestamps for filenames (CWE-340) which allows attackers to access files via direct request (CWE-425).

CVE-2001-1141

PRNG allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.

CVE-1999-0074

Listening TCP ports are sequentially allocated, allowing spoofing attacks.

External Links

MITRE CWE Database