| CWE-33 |
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory. |
| CWE-330 |
The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| CWE-331 |
The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
| CWE-332 |
The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat. |
| CWE-333 |
True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block. |
| CWE-334 |
The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks. |
| CWE-335 |
The software uses a Pseudo-Random Number Generator (PRNG) that does not correctly manage seeds. |
| CWE-336 |
A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized. |
| CWE-337 |
A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. |
| CWE-338 |
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
