CVE-2010-1128

2010-03-2620:30:00

CWE-310

mitre

web.nvd.nist.gov

cve-2010-1128

php

linear congruential generator

entropy

uniqid function

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

AI Score

9.2

Confidence

High

EPSS

0.009

Percentile

83.1%

JSON

The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy, which makes it easier for context-dependent attackers to guess values that were intended to be unpredictable, as demonstrated by session cookies generated by using the uniqid function.

Affected configurations

Nvd

Node

phpphpRange≤5.2.12

phpphpMatch5.2.0

phpphpMatch5.2.1

phpphpMatch5.2.2

phpphpMatch5.2.3

phpphpMatch5.2.4

phpphpMatch5.2.5

phpphpMatch5.2.6

phpphpMatch5.2.7

phpphpMatch5.2.8

phpphpMatch5.2.9

phpphpMatch5.2.10

phpphpMatch5.2.11

VendorProductVersionCPE
phpphp5.2.4cpe:/a:php:php:5.2.4:::
phpphp5.2.9cpe:/a:php:php:5.2.9:::
phpphp5.2.5cpe:/a:php:php:5.2.5:::
phpphp5.2.7cpe:/a:php:php:5.2.7:::
phpphpcpe:/a:php:php::::
phpphp5.2.8cpe:/a:php:php:5.2.8:::
phpphp5.2.6cpe:/a:php:php:5.2.6:::
phpphp5.2.2cpe:/a:php:php:5.2.2:::
phpphp5.2.3cpe:/a:php:php:5.2.3:::
phpphp5.2.1cpe:/a:php:php:5.2.1:::

Vendor	Product	Version	CPE
php	php	5.2.4	cpe:/a:php:php:5.2.4:::
php	php	5.2.9	cpe:/a:php:php:5.2.9:::
php	php	5.2.5	cpe:/a:php:php:5.2.5:::
php	php	5.2.7	cpe:/a:php:php:5.2.7:::
php	php		cpe:/a:php:php::::
php	php	5.2.8	cpe:/a:php:php:5.2.8:::
php	php	5.2.6	cpe:/a:php:php:5.2.6:::
php	php	5.2.2	cpe:/a:php:php:5.2.2:::
php	php	5.2.3	cpe:/a:php:php:5.2.3:::
php	php	5.2.1	cpe:/a:php:php:5.2.1:::