GHSA-rq8g-5pc5-wrhr

Suggest an improvement
Source
https://github.com/advisories/GHSA-rq8g-5pc5-wrhr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/09/GHSA-rq8g-5pc5-wrhr/GHSA-rq8g-5pc5-wrhr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rq8g-5pc5-wrhr
Aliases
Published
2018-09-11T18:22:50Z
Modified
2023-11-08T03:59:39.699757Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Insufficient Entropy in cryptiles
Details

Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits() method does not provide sufficient entropy and its generates digits that are not evenly distributed.

Recommendation

Upgrade to version 4.1.2. The package is deprecated and has been moved to @hapi/cryptiles and it is strongly recommended to use the maintained package.

Database specific
{
    "github_reviewed_at": "2020-06-16T21:55:29Z",
    "github_reviewed": true,
    "nvd_published_at": "2018-07-09T20:29:00Z",
    "cwe_ids": [
        "CWE-331"
    ],
    "severity": "CRITICAL"
}
References

Affected packages

npm / cryptiles

Package

Affected ranges

Type
SEMVER
Events
Introduced
3.1.0
Fixed
4.1.2