CVE-2023-31290

MEDIUM Year: 2023
CVSS v3 Score
5.9
Medium
Weakness Type
CWE-338
View all →

Vulnerability Description

Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit value as an input seed, resulting in only four billion possible mnemonics. The affected versions of the browser extension are 0.0.172 through 0.0.182. To steal funds efficiently, an attacker can identify all Ethereum addresses created since the 0.0.172 release, and check whether they are Ethereum addresses that could have been created by this extension. To respond to the risk, affected users need to upgrade the product version and also move funds to a new wallet address.

Related Vulnerabilities

CVE-2008-3280

MEDIUM
CVSS:5.9(Medium)

It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the...

CWE-3382008

CVE-2018-12885

MEDIUM
CVSS:5.9(Medium)

The randMod() function of the smart contract implementation for MyCryptoChamp, an Ethereum game, generates a random value with publicly readable variables such as the current block information and a p...

CWE-3382018

CVE-2019-19794

MEDIUM
CVSS:5.9(Medium)

The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to resp...

CWE-3382019

CVE-2020-10560

MEDIUM
CVSS:5.9(Medium)

An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserve...

CWE-3382020

CVE-2022-29245

MEDIUM
CVSS:5.9(Medium)

SSH.NET is a Secure Shell (SSH) library for .NET. In versions 2020.0.0 and 2020.0.1, during an `X25519` key exchange, the client’s private key is generated with `System.Random`. `System.Random` is not...

CWE-3382022

CVE-2023-34363

MEDIUM
CVSS:5.9(Medium)

An issue was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. When using Oracle Advanced Security (OAS) encryption, if an error is encountered initializing the encrypti...

CWE-3382023