Use of Insufficiently Random Values
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-330: Use of Insufficiently Random Values |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code uses Math.random() or java.util.Random() for generating random values. These methods are not secure for tasks like creating passwords, tokens, or any sensitive data, as their output can be predicted.
Impact#
If an attacker can predict the generated values, they may be able to guess session tokens, passwords, or other secrets, leading to unauthorized access or data breaches. This can compromise user accounts and the overall security of the application.