Описание
stormpath/sdk uses Insecure Random Number Generator
The vulnerability pertains to the usage of an insecure random number generator (RNG) in the "stormpath-sdk-php" library. Specifically, the issue is present in the generation of UUID (Universally Unique Identifier) version 4 within the codebase.
Ссылки
- https://github.com/stormpath/stormpath-sdk-php/issues/132
- https://github.com/FriendsOfPHP/security-advisories/blob/master/stormpath/sdk/2017-11-20.yaml
- https://github.com/stormpath/stormpath-sdk-php/blob/15aee3007b8aa41c20cdf28fd650b8a2368a7fa9/src/Util/UUID.php#L167-L181
- https://github.com/stormpath/stormpath-sdk-php/blob/62698ea98ef89217f932e28cf3e511d39af3b4cf/src/Authc/Api/ApiKeyEncryptionOptions.php#L48-L50
Пакеты
Наименование
stormpath/sdk
composer
Затронутые версииВерсия исправления
<= 1.19.0
Отсутствует
5.3 Medium
CVSS3
Дефекты
CWE-338
5.3 Medium
CVSS3
Дефекты
CWE-338