apache/harmony: The latest CVE Vulnerabilities and Exploits for Penetration Test

Last Updated: 2023-05-04

Page content

apache/harmony Vulnerability Summary

Vendor name: apache
Product name: harmony
Total vulnerabilities: 1 (as 2023-05-04)

apache/harmony Vulnerability List

CVE-2013-7372: The engineNextBytes function in…

Published: 2014-04-29T20:55:00 Last Modified: 2014-04-30T14:23:00

Summary

The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013.

Common Weakness Enumeration (CWE): CWE-310: Cryptographic Issues

CWE Description: Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2013-7372 vulnerability.

References