GHSA-rq8g-5pc5-wrhr
- Source
- https://github.com/advisories/GHSA-rq8g-5pc5-wrhr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/09/GHSA-rq8g-5pc5-wrhr/GHSA-rq8g-5pc5-wrhr.json
- Aliases
- Published
- 2018-09-11T18:22:50Z
- Modified
- 2023-11-08T03:59:39.699757Z
- Details
-
Versions of
cryptilesprior to 4.1.2 are vulnerable to Insufficient Entropy. TherandomDigits()method does not provide sufficient entropy and its generates digits that are not evenly distributed.Recommendation
Upgrade to version 4.1.2. The package is deprecated and has been moved to
@hapi/cryptilesand it is strongly recommended to use the maintained package. - References
-
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000620
- https://github.com/hapijs/cryptiles/issues/34
- https://github.com/hapijs/cryptiles/issues/35
- https://github.com/hapijs/cryptiles/commit/6bdcd0f6ee8ade96e7b30350bad39ee0c2ef0f9b
- https://github.com/hapijs/cryptiles/commit/9332d4263a32b84e76bf538d7470d01ea63fa047
- https://github.com/advisories/GHSA-rq8g-5pc5-wrhr
- https://github.com/hapijs/cryptiles
- https://github.com/nodejs/security-wg/blob/master/vuln/npm/476.json
- https://www.npmjs.com/advisories/1464
- https://www.npmjs.com/advisories/720
Affected packages
npm / cryptiles
Package
- Name
- cryptiles