Описание
Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.
A flaw was found in Formidable (node-formidable) related to its pseudo-random number generator (PRNG). The package uses a weak method to generate random filenames for uploaded files, making it possible for attackers to predict filenames under certain conditions. This vulnerability could allow an attacker to guess and access uploaded files, potentially leading to data exposure or malicious file manipulation.
Отчет
Red Hat assigned a lower CVSS score because successful exploitation requires predicting filenames generated by a non-cryptographic PRNG under specific timing conditions, which significantly increases attack complexity. Additionally, the practical impact is limited to a potential low integrity issue (e.g., file overwrite) with no demonstrated confidentiality or availability impact.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Serverless | openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8 | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/kn-plugin-func-func-util-rhel8 | Fix deferred | ||
| Red Hat Developer Hub | rhdh/rhdh-hub-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux 10 | firefox | Fix deferred | ||
| Red Hat Enterprise Linux 10 | gjs | Fix deferred | ||
| Red Hat Enterprise Linux 10 | thunderbird | Fix deferred | ||
| Red Hat Enterprise Linux 6 | firefox | Fix deferred | ||
| Red Hat Enterprise Linux 6 | thunderbird | Fix deferred | ||
| Red Hat Enterprise Linux 7 | firefox | Fix deferred | ||
| Red Hat Enterprise Linux 7 | thunderbird | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
3.1 Low
CVSS3
Связанные уязвимости
Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.
Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.
Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies ...
Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content
EPSS
3.1 Low
CVSS3