CVE-2001-0950

ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 uses insufficiently random data to (1) generate session tokens for HSMs using the C rand function, or (2) generate certificates or keys using /dev/urandom instead of another source which blocks when the entropy pool is low, which could make it easier for local or remote attackers to steal tokens or certificates via brute force guessing.

Published: Dec 4, 2001
Updated: Feb 16, 2024
CVE: CVE-2001-0950
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-331

Affected Software
References

Software	From	Fixed in
valicert / enterprise_validation_authority	3.3	4.2.1.x

http://marc.info/?l=bugtraq&m=100749428517090&w=2
http://www.securityfocus.com/bid/3618
http://www.securityfocus.com/bid/3620
http://www.valicert.com/support/security_advisory_eva.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/7651
https://exchange.xforce.ibmcloud.com/vulnerabilities/7653

Vulnerability Database

289,784

CVE-2001-0950