Insufficient Entropy

CVE-2018-18326

High

7.5/10

Summary

DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-331 - Insufficient Entropy

The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

References

POC/Exploit
Advisory

Advisory Timeline

Published Apr 15, 2019

Insufficient Entropy

CVE-2018-18326

Summary

CWE-331 - Insufficient Entropy

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS