RUSTSEC-2024-0343

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2024-0343

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0343.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2024-0343

Aliases

Published

2024-06-03T12:00:00Z

Modified

2024-06-15T13:27:23.912492Z

Severity

9.4 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS Calculator

Summary

Reduced entropy due to inadequate character set usage

Details

Description

Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the nano_id::base62 and nano_id::base58 functions. Specifically, the base62 function used a character set of 32 symbols instead of the intended 62 symbols, and the base58 function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the nano_id::gen macro is also affected when a custom character set that is not a power of 2 in size is specified.

It should be noted that nano_id::base64 is not affected by this vulnerability.

Impact

This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers.

Patches

The flaws were corrected in commit a9022772b2f1ce38929b5b81eccc670ac9d3ab23 by updating the the nano_id::gen macro to use all specified characters correctly.

PoC

use std::collections::BTreeSet;

fn main() {
    test_base58();
    test_base62();
}

fn test_base58() {
    let mut produced_symbols = BTreeSet::new();

    for _ in 0..100_000 {
id = "RUSTSEC-2024-0343"
        for c in id.chars() {
            produced_symbols.insert(c);
        }
    }

    println!(
        "{} symbols generated from nano_id::base58",
        produced_symbols.len()
    );
}

fn test_base62() {
    let mut produced_symbols = BTreeSet::new();

    for _ in 0..100_000 {
id = "RUSTSEC-2024-0343"
        for c in id.chars() {
            produced_symbols.insert(c);
        }
    }

    println!(
        "{} symbols generated from nano_id::base62",
        produced_symbols.len()
    );
}

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / nano-id

Package

Name: nano-id; View open source insights on deps.dev
Purl: pkg:cargo/nano-id

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

0.4.0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [
            "nano_id::base58",
            "nano_id::base62",
            "nano_id::gen"
        ],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
    "informational": null,
    "categories": [
        "crypto-failure"
    ]
}