Vulnerability Details : CVE-2013-4347
The (1) make_nonce, (2) generate_nonce, and (3) generate_verifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack.
Products affected by CVE-2013-4347
- cpe:2.3:a:urbanairship:python-oauth2:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-4347
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 32 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-4347
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST |
CWE ids for CVE-2013-4347
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-4347
-
http://www.securityfocus.com/bid/62388
python-oauth2 CVE-2013-4347 Multiple Predictable Random Number Generator Weaknesses
-
https://github.com/simplegeo/python-oauth2/pull/146
use a better random with SystemRandom (CVE-2013-4347) by pmakowski · Pull Request #146 · joestump/python-oauth2 · GitHub
-
https://github.com/simplegeo/python-oauth2/issues/9
make_nonce is not random enough · Issue #9 · joestump/python-oauth2 · GitHub
-
http://www.openwall.com/lists/oss-security/2013/09/12/7
oss-security - Re: cve requests for python-oauth2
Jump to