Lucene search

Veracode Vulnerability DatabaseVERACODE:44286

HistoryNov 16, 2023 - 5:56 a.m.

Weak 2FA Code Generation

2023-11-1605:56:08

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

weak code generation

python random module

one time codes

privacy and consent

cryptographically weak

pseudo-random number generator

identity verification process

backend process

security compromise

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

7.4 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

38.0%

JSON

Fides is vulnerable to Weak Code Generation. The vulnerability is due to the usage of the python random module used for generating one time codes in the Privacy and Consent request process which is considered to be a cryptographically weak pseudo-random number generator. This issue allows an attacker to predict future one time code values during the lifetime of the backend python process, compromising the security of the subject identity verification process.

CPENameOperatorVersion
ethyca-fidesle2.24.0rc9
ethyca-fidesle2.24.0rc9

CPE	Name	Operator	Version
	ethyca-fides	le	2.24.0rc9
	ethyca-fides	le	2.24.0rc9

References

github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6

github.com/ethyca/fides/security/advisories/GHSA-82vr-5769-6358

peps.python.org/pep-0506/

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

7.4 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

38.0%

JSON

Related for VERACODE:44286