stormpath/sdk uses Insecure Random Number Generator

2024-05-2913:09:29

CWE-338

GitHub Advisory Database

github.com

vulnerability

insecure

random number generator

uuid

php

codebase

AI Score

Confidence

Low

JSON

The vulnerability pertains to the usage of an insecure random number generator (RNG) in the “stormpath-sdk-php” library. Specifically, the issue is present in the generation of UUID (Universally Unique Identifier) version 4 within the codebase.

Affected configurations

Vulners

Node

stormpathsdkRange≤1.19.0

VendorProductVersionCPE
stormpathsdk*cpe:2.3:a:stormpath:sdk:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
stormpath	sdk	*	cpe:2.3:a:stormpath:sdk::::::::

References

github.com/advisories/GHSA-q8fc-v85f-78pw

github.com/FriendsOfPHP/security-advisories/blob/master/stormpath/sdk/2017-11-20.yaml

github.com/stormpath/stormpath-sdk-php/blob/15aee3007b8aa41c20cdf28fd650b8a2368a7fa9/src/Util/UUID.php#L167-L181

github.com/stormpath/stormpath-sdk-php/blob/62698ea98ef89217f932e28cf3e511d39af3b4cf/src/Authc/Api/ApiKeyEncryptionOptions.php#L48-L50

github.com/stormpath/stormpath-sdk-php/issues/132

AI Score

Confidence

Low

JSON