Vulnerability Details : CVE-2022-34295

totd before 1.5.3 does not properly randomize mesg IDs.

Published 2022-06-23 17:15:18

Updated 2022-07-06 18:49:05

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-34295

Probability of exploitation activity in the next 30 days: 0.10%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 40 % EPSS Score History EPSS FAQ

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	nvd@nist.gov
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	2.8	3.6	nvd@nist.gov
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Assigned by: nvd@nist.gov (Primary)

https://www.usenix.org/conference/usenixsecurity22/presentation/jeitner

XDRI Attacks - and - How to Enhance Resilience of Residential Routers | USENIX
Vendor Advisory

CVEs referencing this url
https://github.com/fwdillema/totd/commit/afd8a10a6a21f82a70940d1b43cff48143250399

Patch provided by Gabor Lencse for generating better randomized mesg … · fwdillema/totd@afd8a10 · GitHub
Patch;Third Party Advisory
https://github.com/fwdillema/totd/releases/tag/1.5.3

Release Improved randomization of mesg IDs · fwdillema/totd · GitHub
Patch;Release Notes;Third Party Advisory
http://www.hit.bme.hu/~lencse/publications/JCST-Apr14-2.pdf

Exploit;Technical Description;Third Party Advisory

Totd Project » Totd
Versions before (<) 1.5.3
cpe:2.3:a:totd_project:totd:*:*:*:*:*:*:*:*
Matching versions