The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.
View on MITREAn attacker could easily guess the values used. This could lead to unauthorized access to a system if the seed is used for authentication and authorization.
No mitigation information available for this CWE.
No detection method information available for this CWE.
The following XML example code is a deployment descriptor for a Java web application deployed on a Sun Java Application Server. This deployment descriptor includes a session configuration property for configuring the session ID length.
This deployment descriptor has set the session ID length for this Java web application to 8 bytes (or 64 bits). The session ID length for Java web applications should be set to 16 bytes (128 bits) to prevent attackers from guessing and/or stealing a session ID and taking over a user's session.
Product uses 5 alphanumeric characters for filenames of expense claim reports, stored under web root.
View DetailsProduct uses small number of random numbers for a code to approve an action, and also uses predictable new user IDs, allowing attackers to hijack new accounts.
View DetailsSYN cookies implementation only uses 32-bit keys, making it easier to brute force ISN.
View DetailsCWE-334: Small Space of Random Values is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.
If exploited, CWE-334 (Small Space of Random Values) it can compromise Access Control and Other, leading to outcomes such as Bypass Protection Mechanism and Other.
CWE-334 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-334, including CVE-2002-0583, CVE-2002-0903, CVE-2003-1230 and CVE-2004-0230. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-334 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.