Описание
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
A flaw was found in the nodejs-cryptiles library prior to version 4.1.2. Previous versions do not implement cryptographically secure randomness resulting in the randomDigits() function returning a pseudo-random data string biased to certain digits. An attacker could exploit this to guess the generated digits.
Отчет
Red Hat Quay imports nodejs-crypttiles as a development dependency. Reducing the impact of Red Hat Quay to low.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Mobile Application Platform 4 | nodejs-cryptiles | Not affected | ||
| Red Hat OpenShift Enterprise 3 | nodejs-cryptiles | Not affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Fix deferred | ||
| Red Hat Software Collections | rh-nodejs6-nodejs-cryptiles | Not affected | ||
| Red Hat Software Collections | rh-nodejs8-nodejs | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
Связанные уязвимости
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
EPSS
3.7 Low
CVSS3