Lucene search

GoogleOSV:GHSA-4C72-MRHF-23CG

HistoryMay 14, 2022 - 2:52 a.m.

Apache Syncope uses a weak PNRG

2022-05-1402:52:41

Google

osv.dev

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.008 Low

EPSS

Percentile

81.0%

JSON

Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

CPENameOperatorVersion
org.apache.syncope:syncopeeq1.1.2
org.apache.syncope:syncopeeq1.1.4
org.apache.syncope:syncopeeq1.1.5
org.apache.syncope:syncopeeq1.1.7
org.apache.syncope:syncopeeq1.1.1
org.apache.syncope:syncopeeq1.1.6
org.apache.syncope:syncopeeq1.1.0
org.apache.syncope:syncopeeq1.1.3

Name	Operator	Version
org.apache.syncope:syncope	eq	1.1.2
org.apache.syncope:syncope	eq	1.1.4
org.apache.syncope:syncope	eq	1.1.5
org.apache.syncope:syncope	eq	1.1.7
org.apache.syncope:syncope	eq	1.1.1
org.apache.syncope:syncope	eq	1.1.6
org.apache.syncope:syncope	eq	1.1.0
org.apache.syncope:syncope	eq	1.1.3

References

packetstormsecurity.com/files/127375/Apache-Syncope-Insecure-Password-Generation.html

svn.apache.org/viewvc?view=revision&revision=r1596537

github.com/apache/syncope/commit/8e0045925a387ee211832c7e0709dd418cda1ad3

nvd.nist.gov/vuln/detail/CVE-2014-3503

syncope.apache.org/security.html#cve-2014-3503-insecure-random-implementations-used-to-generate-p

web.archive.org/web/20140728093808/www.securityfocus.com/bid/68431

web.archive.org/web/20201207014021/www.securityfocus.com/archive/1/532669/100/0/threaded

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.008 Low

EPSS

Percentile

81.0%

JSON

Related for OSV:GHSA-4C72-MRHF-23CG