GHSA-2h3h-vw8r-82rp

Suggest an improvement
Source
https://github.com/advisories/GHSA-2h3h-vw8r-82rp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-2h3h-vw8r-82rp/GHSA-2h3h-vw8r-82rp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2h3h-vw8r-82rp
Aliases
Published
2021-03-26T16:49:26Z
Modified
2023-11-08T04:05:25.888063Z
Severity
  • 5.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Weak JSON Web Token in yapi-vendor
Details

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used as a source of randomness in jwt signing. Math.random does not provide cryptographically secure random numbers. This has been patched in version 1.9.3.

Database specific 
{
    "severity": "MODERATE",
    "github_reviewed_at": "2021-03-26T16:48:44Z",
    "cwe_ids": [
        "CWE-330"
    ],
    "nvd_published_at": "2021-03-01T23:15:00Z",
    "github_reviewed": true
}
References

Affected packages

npm / yapi-vendor

Package

Name
yapi-vendor
View open source insights on deps.dev
Purl
pkg:npm/yapi-vendor

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-2h3h-vw8r-82rp/GHSA-2h3h-vw8r-82rp.json"

last_known_affected_version_range

"<= 1.9.2"