Lucene search

GitHub Advisory DatabaseGHSA-768M-5W34-2XF5

HistoryJul 15, 2022 - 8:55 p.m.

LTI 1.3 Tool Library's function used to generate random nonces not sufficiently cryptographically complex before v5.0

2022-07-1520:55:46

CWE-327

CWE-330

GitHub Advisory Database

github.com

lti 1.3

tool library

random nonces

vulnerability

version 5.0

cryptographic complexity

forgery

upgrade

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

31.8%

JSON

Impact

The function used to generate random nonces was not sufficiently cryptographically complex. As a result values may be predictable and tokens may be forgable.

Patches

Users should upgrade to version 5.0 immediately

Workarounds

None.

Affected configurations

Vulners

Node

packbackbookslti-1-3-php-libraryRange<5.0

References

github.com/advisories/GHSA-768m-5w34-2xf5

github.com/packbackbooks/lti-1-3-php-library/commit/de19e8a0b28cdc7750fa3ca98471eeed26ba3e57

github.com/packbackbooks/lti-1-3-php-library/security/advisories/GHSA-768m-5w34-2xf5

nvd.nist.gov/vuln/detail/CVE-2022-31157

openid.net/specs/openid-connect-core-1_0.html#IDToken

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

31.8%

JSON

Related for GHSA-768M-5W34-2XF5