RedhatCVELIST:CVE-2010-5079

HistorySep 17, 2012 - 5:00 p.m.

CVE-2010-5079

2012-09-1717:00:00

redhat

www.cve.org

silverstripe

weak entropy

token generation

csrf protection

autologin

forgot password

password salts

access restrictions

AI Score

Confidence

Low

EPSS

0.005

Percentile

76.5%

JSON

SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 uses weak entropy when generating tokens for (1) the CSRF protection mechanism, (2) autologin, (3) “forgot password” functionality, and (4) password salts, which makes it easier for remote attackers to bypass intended access restrictions via unspecified vectors.

References

doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10

doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4

open.silverstripe.org/changeset/114497

open.silverstripe.org/changeset/114498

open.silverstripe.org/changeset/114503

open.silverstripe.org/changeset/114504

open.silverstripe.org/changeset/114505

www.openwall.com/lists/oss-security/2011/01/03/12

www.openwall.com/lists/oss-security/2012/04/30/1

www.openwall.com/lists/oss-security/2012/04/30/3

www.openwall.com/lists/oss-security/2012/05/01/3