Описание
Passeo uses insecure random number generator
Impact
Everyone below v1.0.5 is impacted by this flaw, of confidentiality being at risk due to the password(s) being easily able to be guessed with Passeo's use of the random library. It is recommended to change any passwords made with Passeo before v1.0.5 and upgrade to v1.0.5, and v1.0.5 patches this with the secrets library.
Workarounds
No current workaround available than updating to v1.0.5.
Ссылки
- https://github.com/ArjunSharda/Passeo/security/advisories/GHSA-mhhf-vgwh-fw9h
- https://nvd.nist.gov/vuln/detail/CVE-2022-23472
- https://github.com/ArjunSharda/Passeo/commit/8caa798b6bc4647dca59b2376204b6dc6176361a
- https://github.com/pypa/advisory-database/tree/main/vulns/passeo/PYSEC-2022-42997.yaml
- https://peps.python.org/pep-0506
Пакеты
passeo
< 1.0.5
1.0.5
Связанные уязвимости
Passeo is an open source python password generator. Versions prior to 1.0.5 rely on the python `random` library for random value selection. The python `random` library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator. As a result a motivated attacker may be able to guess generated passwords. This issue has been addressed in version 1.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.