9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.002 Low
EPSS
Percentile
51.1%
A security-sensitive bug was discovered by Open Source Developer Erik Sundell of Sundell Open Source Consulting AB.
The functions RandomAlphaNumeric(int)
and CryptoRandomAlphaNumeric(int)
are not as random as they should be. Small values of int
in the functions above will return a smaller subset of results than they should. For example, RandomAlphaNumeric(1)
will always return a digit in the 0-9 range, while RandomAlphaNumeric(4)
will return around ~7 million of the ~13M possible permutations.
This is considered a security release because programs that rely upon random generators for passwords are at an increased risk of brute force-style password guessing. There is also a higher probability of collision.
The problem was the result of a mistaken regular expression that only accepted random strings if they contained a digit from [0-9]
. That restriction has been removed.
This issue has been corrected in v1.1.1.
If you cannot upgrade to v1.1.1, you can work around the issue by calling RandomAlphaNumericCustom(N, true, true)
|CryptoRandomAlphaNumericCustom(N, true, true)
instead. (Where N
is the desired length, and true
is the literal boolean true
.)
CPE | Name | Operator | Version |
---|---|---|---|
github.com/masterminds/goutils | lt | 1.1.1 |
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.002 Low
EPSS
Percentile
51.1%