GHSA-x7g2-wrrp-r6h3

Source

https://github.com/advisories/GHSA-x7g2-wrrp-r6h3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-x7g2-wrrp-r6h3/GHSA-x7g2-wrrp-r6h3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x7g2-wrrp-r6h3

Aliases

CVE-2021-27913

Published

2021-09-01T18:41:06Z

Modified

2024-02-16T08:21:55.344923Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Use of a Broken or Risky Cryptographic Algorithm

Details

✍️ Description

The function mt_rand is used to generate session tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate session tokens for accounts that are not under his/her control

🕵️‍♂️ Proof of Concept

Numerous examples and attack implementations can be found in this paper . If you're looking for a practical tool that can crack your mt_rand implementation's seed value, see this project and run the following commands in a console with php5 and OpenWall's tool installed:

root$ php -r 'mt_srand(13333337); echo mt_rand( ), "\n";' After that, copy the output (1863134308) and execute the following commands:

root$ gcc php_mt_seed.c -o php_mt_seedroot$ ./php_mt_seed 1863134308 After waiting ~1 minute you should have a few possible seeds corresponding to their PHP versions, next to your installed PHP version you should see something akin to:

seed = 0x00cb7359 = 13333337 (PHP 7.1.0+) Hey, that's your seed!

💥 Impact

An attacker could takeover accounts at random by enumerating and using access tokens.

📝 References

https://openwall.com/phpmtseedhttps://crypto.di.uoa.gr/CRYPTO.SEC/RandomnessAttacksfiles/paper.pdf
https://github.com/mautic/mautic/blob/5213e320b4ef4d0c51bb84c1d46a1071e8e4f7fc/app/bundles/PointBundle/Controller/TriggerController.php#L187
https://github.com/mautic/mautic/releases/tag/3.3.4
https://github.com/mautic/mautic/releases/tag/4.0.0

Database specific

{
    "nvd_published_at": "2021-08-30T16:15:00Z",
    "cwe_ids": [
        "CWE-327"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T18:02:40Z"
}

References

Affected packages

Packagist / mautic/core

Package

Name: mautic/core
Purl: pkg:composer/mautic/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.4

Affected versions

1.*

1.0.0-beta

1.0.0-beta2

1.0.0-beta3

1.0.0-beta4

1.0.0-rc1

1.0.0-rc2

1.0.0-rc3

1.0.0-rc4

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0-beta1

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0

1.3.1

1.4.0

1.4.1

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.2.0

2.2.1

2.3.0

2.4.0

2.5.0

2.5.1

2.6.0

2.6.1

2.7.0

2.7.1

2.8.0

2.8.1

2.8.2

2.9.0-beta

2.9.0

2.9.1

2.9.2

2.10.0-beta

2.10.0

2.10.1

2.11.0-beta

2.11.0

2.12.0-beta

2.12.0

2.12.1-beta

2.12.1

2.12.2-beta

2.12.2

2.13.0-beta

2.13.0

2.13.1

2.14.0-beta

2.14.0

2.14.1-beta

2.14.1

2.14.2-beta

2.14.2

2.15.0-beta

2.15.0

2.15.1-beta

2.15.1

2.15.2-beta

2.15.2

2.15.3-beta

2.15.3

2.16.0-beta

2.16.0

2.16.1-beta

2.16.1

2.16.2-beta

2.16.2

2.16.3-beta

2.16.3

2.16.4

2.16.5

3.*

3.0.0-alpha

3.0.0-beta

3.0.0-beta2

3.0.0

3.0.1

3.0.2-rc

3.0.2

3.1.0-rc

3.1.0

3.1.1-rc

3.1.1

3.1.2-rc

3.1.2

3.2.0-rc

3.2.0

3.2.1

3.2.2-rc

3.2.2

3.2.3

3.2.4

3.2.5-rc

3.2.5

3.3.0-rc

3.3.0

3.3.1

3.3.2-rc

3.3.2

3.3.3-rc

3.3.3

Packagist / mautic/core

Package

Name: mautic/core
Purl: pkg:composer/mautic/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0-alpha1

Fixed

4.0.0

Affected versions

4.*

4.0.0-alpha1

4.0.0-beta

4.0.0-rc