Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

CVE-2020-7010

High

7.5/10

Summary

Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the Elasticsearch credentials generated by ECK.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

References

Advisory
Advisory
Pull request

Advisory Timeline

Published Jun 03, 2020

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

CVE-2020-7010

Summary

CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS