Lucene search

GoogleOSV:GHSA-768M-5W34-2XF5

HistoryJul 15, 2022 - 8:55 p.m.

LTI 1.3 Tool Library's function used to generate random nonces not sufficiently cryptographically complex before v5.0

2022-07-1520:55:46

Google

osv.dev

lti 1.3

tool library

nonce generation

cryptographically complex

version 5.0

predictable values

forgable tokens

upgrade

security patch

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

31.8%

JSON

Impact

The function used to generate random nonces was not sufficiently cryptographically complex. As a result values may be predictable and tokens may be forgable.

Patches

Users should upgrade to version 5.0 immediately

Workarounds

None.

References

github.com/packbackbooks/lti-1-3-php-library

github.com/packbackbooks/lti-1-3-php-library/commit/de19e8a0b28cdc7750fa3ca98471eeed26ba3e57

github.com/packbackbooks/lti-1-3-php-library/security/advisories/GHSA-768m-5w34-2xf5

nvd.nist.gov/vuln/detail/CVE-2022-31157

openid.net/specs/openid-connect-core-1_0.html#IDToken

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

31.8%

JSON

Related for OSV:GHSA-768M-5W34-2XF5