Lucene search

GitHub Advisory DatabaseGHSA-MHHF-VGWH-FW9H

HistoryDec 06, 2022 - 9:13 p.m.

Passeo uses insecure random number generator

2022-12-0621:13:32

CWE-338

GitHub Advisory Database

github.com

passeo

insecure random number generator

confidentiality

password

v1.0.5

secrets library

update

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

45.3%

JSON

Impact

Everyone below v1.0.5 is impacted by this flaw, of confidentiality being at risk due to the password(s) being easily able to be guessed with Passeo’s use of the random library. It is recommended to change any passwords made with Passeo before v1.0.5 and upgrade to v1.0.5, and v1.0.5 patches this with the secrets library.

Workarounds

No current workaround available than updating to v1.0.5.

Affected configurations

Vulners

Node

passeo_projectpasseoRange<1.0.5python

VendorProductVersionCPE
passeo_projectpasseo*cpe:2.3:a:passeo_project:passeo:*:*:*:*:*:python:*:*

Vendor	Product	Version	CPE
passeo_project	passeo	*	cpe:2.3:a:passeo_project:passeo::::::python::*

References

github.com/advisories/GHSA-mhhf-vgwh-fw9h

github.com/ArjunSharda/Passeo/commit/8caa798b6bc4647dca59b2376204b6dc6176361a

github.com/ArjunSharda/Passeo/security/advisories/GHSA-mhhf-vgwh-fw9h

nvd.nist.gov/vuln/detail/CVE-2022-23472

peps.python.org/pep-0506/

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

45.3%

JSON

Related for GHSA-MHHF-VGWH-FW9H