GHSA-3fmq-x9q6-wm39

Source

https://github.com/advisories/GHSA-3fmq-x9q6-wm39

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-3fmq-x9q6-wm39/GHSA-3fmq-x9q6-wm39.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3fmq-x9q6-wm39

Published

2024-05-17T23:27:19Z

Modified

2024-12-02T05:42:56.201685Z

Summary

random_compat Uses insecure CSPRNG

Details

randomcompat versions prior to 2.0 are affected by a security vulnerability related to the insecure usage of Cryptographically Secure Pseudo-Random Number Generators (CSPRNG). The affected versions use opensslrandompseudobytes(), which may result in insufficient entropy and compromise the security of generated random numbers.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-331"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-17T23:27:19Z"
}

References

Affected packages

Packagist / paragonie/random_compat

Package

Name: paragonie/random_compat
Purl: pkg:composer/paragonie/random_compat

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0

Affected versions

0.*

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

v0.*

v0.9.7

v1.*

v1.0.0

v1.0.1

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.3.0

v1.3.1

v1.4.0

v1.4.1

v1.4.2

v1.4.3

1.*

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6