Insufficient Entropy ('Cryptographic Issues') [VID:127] #97
Labels
Veracode Policy Scan
A Veracode Flaw found during a Policy or Sandbox Scan
VeracodeFlaw: Medium
A Veracode Flaw, Medium severity
Comments
github-actions
bot
added
Veracode Policy Scan
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Filename: ResetController.java
Line: 190
CWE: 331 (Insufficient Entropy ('Cryptographic Issues'))
Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand(). If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found on the Windows platform in the CryptoAPI or in an open source library such as OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy. References: CWE
The text was updated successfully, but these errors were encountered: