Common Weakness Enumeration

CWE-338

Allowed

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Abstraction: Base · Status: Draft

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

293 vulnerabilities reference this CWE, most recent first.

GHSA-6HHH-7CJ8-7MP2

Vulnerability from github – Published: 2026-02-24 00:31 – Updated: 2026-02-24 18:31
VLAI
Details

Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions.

Smolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.

Specifically Smolder::DB::Developer uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-58041"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-24T00:16:17Z",
    "severity": "CRITICAL"
  },
  "details": "Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions.\n\nSmolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\n\nSpecifically Smolder::DB::Developer uses the Data::Random library which specifically states that it is \"Useful mostly for test programs\". Data::Random uses the rand() function.",
  "id": "GHSA-6hhh-7cj8-7mp2",
  "modified": "2026-02-24T18:31:01Z",
  "published": "2026-02-24T00:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58041"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L221"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L5"
    },
    {
      "type": "WEB",
      "url": "https://perldoc.perl.org/functions/rand"
    },
    {
      "type": "WEB",
      "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6P4W-GCXH-HF6C

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01
VLAI
Details

BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-05T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key.",
  "id": "GHSA-6p4w-gcxh-hf6c",
  "modified": "2022-05-24T19:01:25Z",
  "published": "2022-05-24T19:01:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29245"
    },
    {
      "type": "WEB",
      "url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/btcpayserver/btcpayserver/releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6QQF-VVCR-7QRV

Vulnerability from github – Published: 2019-05-23 09:27 – Updated: 2020-08-31 18:34
VLAI
Summary
Cryptographically Weak PRNG in generate-password
Details

Affected versions of generate-password generate random values that are biased towards certain characters depending on the chosen character sets. This may result in guessable passwords.

Recommendation

Update to version 1.4.1 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "generate-password"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-05-23T07:38:39Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Affected versions of generate-password generate random values that are biased towards certain characters depending on the chosen character sets. This may result in guessable passwords.\n\n\n## Recommendation\n\nUpdate to version 1.4.1 or later.\n",
  "id": "GHSA-6qqf-vvcr-7qrv",
  "modified": "2020-08-31T18:34:48Z",
  "published": "2019-05-23T09:27:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/brendanashworth/generate-password/pull/26"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/762"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Cryptographically Weak PRNG in generate-password"
}

GHSA-72P8-V4HG-V45P

Vulnerability from github – Published: 2022-06-01 19:50 – Updated: 2022-06-15 18:57
VLAI
Summary
Weak private key generation in SSH.NET
Details

During an X25519 key exchange, the client’s private is generated with System.Random:

var rnd = new Random();
_privateKey = new byte[MontgomeryCurve25519.PrivateKeySizeInBytes];
rnd.NextBytes(_privateKey);

Source: KeyExchangeECCurve25519.cs
Source commit: https://github.com/sshnet/SSH.NET/commit/b58a11c0da55da1f5bad46faad2e9b71b7cb35b3

System.Random is not a cryptographically secure random number generator, it must therefore not be used for cryptographic purposes.

Impact

When establishing an SSH connection to a remote host, during the X25519 key exchange, the private key is generated with a weak random number generator whose seed can be bruteforced. This allows an attacker able to eavesdrop the communications to decrypt them.

Workarounds

To ensure you're not affected by this vulnerability, you can disable support for curve25519-sha256 and curve25519-sha256@libssh.org key exchange algorithms by invoking the following method before a connection is established:

private static void RemoveUnsecureKEX(BaseClient client)
{
    client.ConnectionInfo.KeyExchangeAlgorithms.Remove("curve25519-sha256");
    client.ConnectionInfo.KeyExchangeAlgorithms.Remove("curve25519-sha256@libssh.org");
}

Thanks

This issue was initially reported by Siemens AG, Digital Industries, shortly followed by @yaumn-synacktiv.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "SSH.NET"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2020.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330",
      "CWE-338"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-01T19:50:15Z",
    "nvd_published_at": "2022-05-31T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "During an **X25519** key exchange, the client\u2019s private is generated with [**System.Random**](https://docs.microsoft.com/en-us/dotnet/api/system.random):\n\n```cs\nvar rnd = new Random();\n_privateKey = new byte[MontgomeryCurve25519.PrivateKeySizeInBytes];\nrnd.NextBytes(_privateKey);\n```\n\nSource: [KeyExchangeECCurve25519.cs](https://github.com/sshnet/SSH.NET/blob/bc99ada7da3f05f50d9379f2644941d91d5bf05a/src/Renci.SshNet/Security/KeyExchangeECCurve25519.cs#L51)  \nSource commit: https://github.com/sshnet/SSH.NET/commit/b58a11c0da55da1f5bad46faad2e9b71b7cb35b3\n\n[**System.Random**](https://docs.microsoft.com/en-us/dotnet/api/system.random) is not a cryptographically secure random number generator, it must therefore not be used for cryptographic purposes.\n\n### Impact\nWhen establishing an SSH connection to a remote host, during the X25519 key exchange, the private key is generated with\na weak random number generator whose seed can be bruteforced. This allows an attacker able to eavesdrop the\ncommunications to decrypt them.\n\n### Workarounds\nTo ensure you\u0027re not affected by this vulnerability, you can disable support for `curve25519-sha256` and `curve25519-sha256@libssh.org` key exchange algorithms by invoking the following method before a connection is established:\n```cs\nprivate static void RemoveUnsecureKEX(BaseClient client)\n{\n    client.ConnectionInfo.KeyExchangeAlgorithms.Remove(\"curve25519-sha256\");\n    client.ConnectionInfo.KeyExchangeAlgorithms.Remove(\"curve25519-sha256@libssh.org\");\n}\n```\n\n### Thanks\n\nThis issue was initially reported by **Siemens AG, Digital Industries**, shortly followed by @yaumn-synacktiv.",
  "id": "GHSA-72p8-v4hg-v45p",
  "modified": "2022-06-15T18:57:58Z",
  "published": "2022-06-01T19:50:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sshnet/SSH.NET/security/advisories/GHSA-72p8-v4hg-v45p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29245"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sshnet/SSH.NET/commit/03c6d60736b8f7b42e44d6989a53f9b644a091fb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sshnet/SSH.NET/commit/f1f273cf349532b9d41c1de51d3b83a9accedc88"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sshnet/SSH.NET"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sshnet/SSH.NET/blob/bc99ada7da3f05f50d9379f2644941d91d5bf05a/src/Renci.SshNet/Security/KeyExchangeECCurve25519.cs#L51"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sshnet/SSH.NET/releases/tag/2020.0.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Weak private key generation in SSH.NET"
}

GHSA-75V8-2H7P-7M2M

Vulnerability from github – Published: 2025-04-26 21:31 – Updated: 2025-05-27 18:49
VLAI
Summary
Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content
Details

Formidable (aka node-formidable) 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "formidable"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.1-canary.20211030"
            },
            {
              "fixed": "3.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "formidable"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-29T14:07:17Z",
    "nvd_published_at": "2025-04-26T21:15:14Z",
    "severity": "LOW"
  },
  "details": "Formidable (aka node-formidable) 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not \"cryptographically secure.\" (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.",
  "id": "GHSA-75v8-2h7p-7m2m",
  "modified": "2025-05-27T18:49:20Z",
  "published": "2025-04-26T21:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46653"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-formidable/formidable/commit/37a3e89fca1ed68ec674a539f13aafd62221ddaa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/node-formidable/formidable"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-formidable/formidable/blob/d0fbec13edc8add54a1afb9ce1a8d3db803f8d47/CHANGELOG.md?plain=1#L10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/formidable/v/2.1.3"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/formidable/v/3.5.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content"
}

GHSA-7F2Q-MWC4-6QVX

Vulnerability from github – Published: 2025-04-16 03:30 – Updated: 2025-04-16 03:30
VLAI
Details

Delta Electronics COMMGR v1 and v2 uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID and load and execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-16T03:15:17Z",
    "severity": "CRITICAL"
  },
  "details": "Delta Electronics COMMGR v1 and v2\u00a0uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID and load and execute arbitrary code.",
  "id": "GHSA-7f2q-mwc4-6qvx",
  "modified": "2025-04-16T03:30:24Z",
  "published": "2025-04-16T03:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3495"
    },
    {
      "type": "WEB",
      "url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00005_COMMGR%20-%20Insufficient%20Randomization%20Authentication%20Bypass_v1.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7R2J-HGH9-JQQX

Vulnerability from github – Published: 2026-03-28 21:33 – Updated: 2026-03-31 21:31
VLAI
Details

Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions.

In versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Before version 6.06, there was no fallback when /dev/urandom was not available.

Before version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string.

This function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-28T19:16:53Z",
    "severity": "CRITICAL"
  },
  "details": "Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions.\n\nIn versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time.  The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nBefore version 6.06, there was no fallback when /dev/urandom was not available.\n\nBefore version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string.\n\nThis function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection.",
  "id": "GHSA-7r2j-hgh9-jqqx",
  "modified": "2026-03-31T21:31:18Z",
  "published": "2026-03-28T21:33:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15604"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tokuhirom/Amon/pull/135"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/TOKUHIROM/Amon2-6.17/changes"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/TOKUHIROM/Amon2-6.17/diff/TOKUHIROM/Amon2-6.16#lib/Amon2/Util.pm"
    },
    {
      "type": "WEB",
      "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/28/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7RQ2-V6RC-96JW

Vulnerability from github – Published: 2026-03-31 12:31 – Updated: 2026-03-31 21:31
VLAI
Details

Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.

Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.

This key is intended for encrypting credit card transaction data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-31T11:16:11Z",
    "severity": "CRITICAL"
  },
  "details": "Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.\n\nBusiness::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.\n\nThis key is intended for encrypting credit card transaction data.",
  "id": "GHSA-7rq2-v6rc-96jw",
  "modified": "2026-03-31T21:31:18Z",
  "published": "2026-03-31T12:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15618"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/dist/Business-OnlinePayment-StoredTransaction/source/lib/Business/OnlinePayment/StoredTransaction.pm#L64-75"
    },
    {
      "type": "WEB",
      "url": "https://security.metacpan.org/patches/B/Business-OnlinePayment-StoredTransaction/0.01/CVE-2025-15618-r1.patch"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/31/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7VRC-HC62-3F49

Vulnerability from github – Published: 2024-09-26 18:31 – Updated: 2024-10-07 15:31
VLAI
Details

The goTenna Pro series does not use SecureRandom when generating its cryptographic keys. The random function in use is not suitable for cryptographic use.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-26T18:15:09Z",
    "severity": "HIGH"
  },
  "details": "The goTenna Pro series does not use SecureRandom when generating its cryptographic keys. The random function in use is not suitable for cryptographic use.",
  "id": "GHSA-7vrc-hc62-3f49",
  "modified": "2024-10-07T15:31:38Z",
  "published": "2024-09-26T18:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47126"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-82VR-5769-6358

Vulnerability from github – Published: 2023-11-16 14:33 – Updated: 2023-11-16 14:33
VLAI
Summary
Ethyca Fides Cryptographically Weak Generation of One-Time Codes for Identity Verification
Details

Impact

The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application.

Privacy requests allow data subjects to submit a request to access all person data held by the data controller, or delete/erase it. Consent request allows data subject users to modify their privacy preferences for how the data controller uses their personal data e.g. data sales and sharing consent opt-in/opt-out.

If subject_identity_verification_required in the [execution] section of fides.toml or the env var FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED is set to True on the fides webserver backend, data subjects are sent a one-time code to their email address or phone number, depending on messaging configuration, and the one-time code must be entered in the Privacy Center UI by the data subject before the privacy or consent request is submitted.

It was identified that the one-time code values for these requests were generated by the python random module, a cryptographically weak pseduo-random number generator (PNRG). If an attacker generates several hundred consecutive one-time codes, this vulnerability allows the attacker to predict all future one-time code values during the lifetime of the backend python process.

There is no security impact on data access requests as the personal data download package is not shared in the Privacy Center itself. However, this vulnerability allows an attacker to (i) submit a verified data erasure request, resulting in deletion of data for the targeted user and (ii) submit a verified consent request, modifying a user's privacy preferences.

Patches

The vulnerability has been patched in Fides version 2.24.0. Users are advised to upgrade to this version or later to secure their systems against this threat.

Workarounds

None

References

  • https://peps.python.org/pep-0506/
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ethyca-fides"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-48224"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-16T14:33:06Z",
    "nvd_published_at": "2023-11-15T21:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application.\n\nPrivacy requests allow data subjects to submit a request to access all person data held by the data controller, or delete/erase it.  Consent request allows data subject users to modify their privacy preferences for how the data controller uses their personal data e.g. data sales and sharing consent opt-in/opt-out.\n\nIf `subject_identity_verification_required` in the `[execution]` section of `fides.toml` or the env var `FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED` is set to `True` on the fides webserver backend, data subjects are sent a one-time code to their email address or phone number, depending on messaging configuration, and the one-time code must be entered in the Privacy Center UI by the data subject before the privacy or consent request is submitted.\n\nIt was identified that the one-time code values for these requests were generated by the python `random` module, a cryptographically weak pseduo-random number generator (PNRG). If an attacker generates several hundred consecutive one-time codes, this vulnerability allows the attacker to predict all future one-time code values during the lifetime of the backend python process.\n\nThere is no security impact on data access requests as the personal data download package is not shared in the Privacy Center itself. However, this vulnerability allows an attacker to (i) submit a verified data erasure request, resulting in deletion of data for the targeted user and (ii) submit a verified consent request, modifying a user\u0027s privacy preferences.\n\n### Patches\nThe vulnerability has been patched in Fides version `2.24.0`. Users are advised to upgrade to this version or later to secure their systems against this threat.\n\n### Workarounds\nNone\n\n### References\n* https://peps.python.org/pep-0506/",
  "id": "GHSA-82vr-5769-6358",
  "modified": "2023-11-16T14:33:06Z",
  "published": "2023-11-16T14:33:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/security/advisories/GHSA-82vr-5769-6358"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48224"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ethyca/fides"
    },
    {
      "type": "WEB",
      "url": "https://peps.python.org/pep-0506"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ethyca Fides Cryptographically Weak Generation of One-Time Codes for Identity Verification"
}

Mitigation
Implementation

Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.

No CAPEC attack patterns related to this CWE.