Vulnerability Details : CVE-2018-1000620
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Products affected by CVE-2018-1000620
- cpe:2.3:a:cryptiles_project:cryptiles:*:*:*:*:*:*:*:*
- cpe:2.3:a:cryptiles_project:cryptiles:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1000620
0.38%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1000620
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2018-1000620
-
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1000620
-
https://github.com/hapijs/cryptiles/issues/35
randomDigits() generates biased random digits · Issue #35 · hapijs/cryptiles · GitHub
-
https://github.com/hapijs/cryptiles/issues/34
randomDigits() generates biased random digits · Issue #34 · hapijs/cryptiles · GitHubIssue Tracking;Patch;Third Party Advisory
Jump to