GHSA-mg4x-prh7-g4mx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mg4x-prh7-g4mx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-mg4x-prh7-g4mx/GHSA-mg4x-prh7-g4mx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mg4x-prh7-g4mx
- Published
- 2024-06-07T22:25:12Z
- Modified
- 2024-12-04T05:36:22.994493Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Zend-Captcha Information Disclosure and Insufficient Entropy vulnerability
- Details
-
In Zend Framework,
Zend_Captcha_Word(v1) andZend\Captcha\Word(v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internalarray_rand()function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such asopenssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. - Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-331" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-06-07T22:25:12Z" }- References
-
- https://github.com/zendframework/zend-captcha/commit/43c276df6e94e498bf530538aea53876a24fc47c
- https://github.com/zendframework/zend-captcha/commit/5561ef813bb4ad814e835343289dc5077d2eb262
- https://framework.zend.com/security/advisory/ZF2015-09
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-captcha/ZF2015-09.yaml
- https://github.com/zendframework/zend-captcha
Affected packages
Packagist / zendframework/zend-captcha
Package
- Name
- zendframework/zend-captcha
- Purl
- pkg:composer/zendframework/zend-captcha
Affected versions
2.*
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0rc1
2.2.0rc2
2.2.0rc3
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0rc1
2.4.0rc2
2.4.0rc3
2.4.0rc4
2.4.0rc5
2.4.0rc6
2.4.0rc7
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
Packagist / zendframework/zend-captcha
Package
- Name
- zendframework/zend-captcha
- Purl
- pkg:composer/zendframework/zend-captcha