CVE-2008-4107

The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce cryptographically strong random numbers, which allows attackers to leverage exposures in products that rely on these functions for security-relevant functionality, as demonstrated by the password-reset functionality in Joomla! 1.5.x and WordPress before 2.6.2, a different vulnerability than CVE-2008-2107, CVE-2008-2108, and CVE-2008-4102.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.1 UNKNOWN
NETWORK
HIGH
AV:N/AC:H/Au:N/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 92%
VendorProductVersion
phpphp
𝑥
≤ 4.4.8
phpphp
4.0:beta1
phpphp
4.0:beta3
phpphp
4.0:rc1
phpphp
4.0:rc2
phpphp
4.0.0
phpphp
4.0.1
phpphp
4.0.1:patch1
phpphp
4.0.1:patch2
phpphp
4.0.2
phpphp
4.0.3:patch1
phpphp
4.0.4:patch1
phpphp
4.0.5
phpphp
4.0.6
phpphp
4.0.7
phpphp
4.0.7:rc2
phpphp
4.0.7:rc3
phpphp
4.0.7:rc4
phpphp
4.1.0
phpphp
4.1.1
phpphp
4.1.2
phpphp
4.2
phpphp
4.2.0
phpphp
4.2.1
phpphp
4.2.2
phpphp
4.2.3
phpphp
4.3.0
phpphp
4.3.1
phpphp
4.3.2
phpphp
4.3.3
phpphp
4.3.4
phpphp
4.3.5
phpphp
4.3.6
phpphp
4.3.7
phpphp
4.3.8
phpphp
4.3.9
phpphp
4.3.10
phpphp
4.3.11
phpphp
4.4.0
phpphp
4.4.1
phpphp
4.4.2
phpphp
4.4.3
phpphp
4.4.4
phpphp
4.4.5
phpphp
4.4.6
phpphp
4.4.7
phpphp
𝑥
≤ 5.2.5
phpphp
5.0.0:beta1
phpphp
5.0.0:beta2
phpphp
5.0.0:beta4
phpphp
5.0.0:rc1
phpphp
5.0.1
phpphp
5.0.4
phpphp
5.0.5
phpphp
5.1.0
phpphp
5.1.2
phpphp
5.1.4
phpphp
5.1.5
phpphp
5.1.6
phpphp
5.2.0
phpphp
5.2.1
phpphp
5.2.2
phpphp
5.2.3
phpphp
5.2.4
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php5
intrepid
ignored
hardy
ignored
gutsy
ignored
feisty
ignored
dapper
ignored
Common Weakness Enumeration
References
http://marc.info/?l=oss-security&m=122152830017099&w=2
http://osvdb.org/48700
http://secunia.com/advisories/31737
http://secunia.com/advisories/31870
http://securityreason.com/securityalert/4271
http://securitytracker.com/id?1020869
http://wordpress.org/development/2008/09/wordpress-262/
http://www.openwall.com/lists/oss-security/2008/09/11/6
http://www.securityfocus.com/archive/1/496237/100/0/threaded
http://www.securityfocus.com/archive/1/496287/100/0/threaded
http://www.securityfocus.com/bid/31115
http://www.sektioneins.de/advisories/SE-2008-02.txt
http://www.sektioneins.de/advisories/SE-2008-04.txt
http://www.sektioneins.de/advisories/SE-2008-05.txt
http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/
http://www.vupen.com/english/advisories/2008/2553
https://exchange.xforce.ibmcloud.com/vulnerabilities/45956
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00607.html
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00629.html
http://marc.info/?l=oss-security&m=122152830017099&w=2
http://osvdb.org/48700
http://secunia.com/advisories/31737
http://secunia.com/advisories/31870
http://securityreason.com/securityalert/4271
http://securitytracker.com/id?1020869
http://wordpress.org/development/2008/09/wordpress-262/
http://www.openwall.com/lists/oss-security/2008/09/11/6
http://www.securityfocus.com/archive/1/496237/100/0/threaded
http://www.securityfocus.com/archive/1/496287/100/0/threaded
http://www.securityfocus.com/bid/31115
http://www.sektioneins.de/advisories/SE-2008-02.txt
http://www.sektioneins.de/advisories/SE-2008-04.txt
http://www.sektioneins.de/advisories/SE-2008-05.txt
http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/
http://www.vupen.com/english/advisories/2008/2553
https://exchange.xforce.ibmcloud.com/vulnerabilities/45956
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00607.html
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00629.html