Insufficient Random Numbers

2023-06-2408:30:19

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

13.3%

JSON

PHP is vulnerable to Insufficient Random Numbers. The vulnerability is due to the SOAP HTTP Digest authentication using uninitialized memory as the nonce from the client which gets sent to the server, but this uninitialized memory is insufficiently random. An attacker can exploit this flaw to guess the client nonce, resulting in sensitive information disclosure.

CPENameOperatorVersion
php7.4:bullseyeeq7.4.11-1
php7.3:bustereq7.3.19-1~deb10u1
php7.3:bustereq7.3.27-1~deb10u1
php7.4:bullseyeeq7.4.11-1
php7.3:bustereq7.3.19-1~deb10u1
php7.3:bustereq7.3.27-1~deb10u1
php81:3.17eq8.1.16-r0
php81:3.17eq8.1.13-r0
php81:3.17eq8.1.18-r0
php81:3.17eq8.1.20-r0

Name	Operator	Version
php7.4:bullseye	eq	7.4.11-1
php7.3:buster	eq	7.3.19-1~deb10u1
php7.3:buster	eq	7.3.27-1~deb10u1
php7.4:bullseye	eq	7.4.11-1
php7.3:buster	eq	7.3.19-1~deb10u1
php7.3:buster	eq	7.3.27-1~deb10u1
php81:3.17	eq	8.1.16-r0
php81:3.17	eq	8.1.13-r0
php81:3.17	eq	8.1.18-r0
php81:3.17	eq	8.1.20-r0