Description
ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 uses insufficiently random data to (1) generate session tokens for HSMs using the C rand function, or (2) generate certificates or keys using /dev/urandom instead of another source which blocks when the entropy pool is low, which could make it easier for local or remote attackers to steal tokens or certificates via brute force guessing.
References (6)
Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/7651
Broken Link, Patch, Third Party Advisory, VDB Entry, Vendor Advisory vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/3620
Exploit, Mailing List mailing-list
x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=100749428517090&w=2
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/7653
Broken Link x_refsource_confirm
http://www.valicert.com/support/security_advisory_eva.html
Broken Link, Patch, Third Party Advisory, VDB Entry, Vendor Advisory vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/3618
Scores
CVSS v3
7.5
EPSS
0.0159
EPSS Percentile
72.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-331
Status
published
Products (1)
valicert/enterprise_validation_authority
3.3 - 4.2.1
Published
Dec 04, 2001
Tracked Since
Feb 18, 2026