GHSA-2fhr-8r8r-qp56

Source

https://github.com/advisories/GHSA-2fhr-8r8r-qp56

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-2fhr-8r8r-qp56/GHSA-2fhr-8r8r-qp56.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2fhr-8r8r-qp56

Published

2024-06-07T20:37:45Z

Modified

2024-12-04T05:40:33.932306Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

ZendFramework Information Disclosure and Insufficient Entropy vulnerability

Details

In Zend Framework, Zend_Captcha_Word (v1) and Zend\Captcha\Word (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.

Database specific

{
    "github_reviewed_at": "2024-06-07T20:37:45Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-331"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "nvd_published_at": null
}

References

Affected packages

Packagist / zendframework/zendframework

Package

Name: zendframework/zendframework
Purl: pkg:composer/zendframework/zendframework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.4.9

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0rc1

2.2.0rc2

2.2.0rc3

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.4.0rc1

2.4.0rc2

2.4.0rc3

2.4.0rc4

2.4.0rc5

2.4.0rc6

2.4.0rc7

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8