GHSA-rq8g-5pc5-wrhr

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/09/GHSA-rq8g-5pc5-wrhr/GHSA-rq8g-5pc5-wrhr.json

Aliases

CVE-2018-1000620

Published

2018-09-11T18:22:50Z

Modified

2023-03-29T19:11:42Z

Details

Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits() method does not provide sufficient entropy and its generates digits that are not evenly distributed.

Recommendation

Upgrade to version 4.1.2. The package is deprecated and has been moved to @hapi/cryptiles and it is strongly recommended to use the maintained package.

References

https://nvd.nist.gov/vuln/detail/CVE-2018-1000620
https://github.com/hapijs/cryptiles/issues/34
https://github.com/hapijs/cryptiles/issues/35
https://github.com/hapijs/cryptiles/commit/9332d4263a32b84e76bf538d7470d01ea63fa047
https://github.com/advisories/GHSA-rq8g-5pc5-wrhr
https://github.com/hapijs/cryptiles
https://github.com/nodejs/security-wg/blob/master/vuln/npm/476.json
https://www.npmjs.com/advisories/1464
https://www.npmjs.com/advisories/720

Affected packages

npm / cryptiles

cryptiles

Affected ranges

Type: SEMVER
Events: Introduced

0

Fixed

4.1.2

Affected versions

Ecosystem specific

{
    "affected_functions": [
        "cryptiles.randomDigits",
        "cryptiles.randomBits"
    ]
}