GHSA-848f-mph5-9pm9

Suggest an improvement
Source
https://github.com/advisories/GHSA-848f-mph5-9pm9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-848f-mph5-9pm9/GHSA-848f-mph5-9pm9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-848f-mph5-9pm9
Published
2024-06-07T22:27:02Z
Modified
2024-06-07T22:32:17.301626Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Zendframework Potential Information Disclosure and Insufficient Entropy vulnerability
Details

In Zend Framework, ZendCaptchaWord (v1) and Zend\Captcha\Word (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal arrayrand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as opensslpseudorandombytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.

References

Affected packages

Packagist / zendframework/zendframework1

Package

Name
zendframework/zendframework1
Purl
pkg:composer/zendframework/zendframework1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.12.0
Fixed
1.12.17

Affected versions

1.*

1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.12.6
1.12.7
1.12.8
1.12.9
1.12.10
1.12.11
1.12.12
1.12.13
1.12.14
1.12.15
1.12.16