CVE-2024-36400

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-36400
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36400.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-36400
Aliases
Published
2024-06-04T15:15:46Z
Modified
2024-06-15T13:27:23.912492Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

nano-id is a unique string ID generator for Rust. Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the nano_id::base62 and nano_id::base58 functions. Specifically, the base62 function used a character set of 32 symbols instead of the intended 62 symbols, and the base58 function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the nano_id::gen macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that nano_id::base64 is not affected by this vulnerability. This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. The vulnerability is fixed in 0.4.0.

References

Affected packages

Git / github.com/viz-rs/nano-id

Affected ranges

Type
GIT
Repo
https://github.com/viz-rs/nano-id
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.0.1
v0.1.0
v0.1.1
v0.2.0
v0.2.1
v0.3.1
v0.3.2
v0.4.0