GHSA-rq8g-5pc5-wrhr

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/09/GHSA-rq8g-5pc5-wrhr/GHSA-rq8g-5pc5-wrhr.json
Aliases
  • CVE-2018-1000620
Published
2018-09-11T18:22:50Z
Modified
2023-03-29T19:11:42Z
Details

Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits() method does not provide sufficient entropy and its generates digits that are not evenly distributed.

Recommendation

Upgrade to version 4.1.2. The package is deprecated and has been moved to @hapi/cryptiles and it is strongly recommended to use the maintained package.

References

Affected packages

npm / cryptiles

cryptiles

Affected ranges

Type
SEMVER
Events
Introduced
0
Fixed
4.1.2

Affected versions

Ecosystem specific

{
    "affected_functions": [
        "cryptiles.randomDigits",
        "cryptiles.randomBits"
    ]
}