Vulnerability Details : CVE-2021-23451
The package otp-generator before 3.0.0 are vulnerable to Insecure Randomness due to insecure generation of random one-time passwords, which may allow a brute-force attack.
Products affected by CVE-2021-23451
- cpe:2.3:a:otp-generator_project:otp-generator:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-23451
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-23451
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
Snyk |
CWE ids for CVE-2021-23451
-
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-23451
-
https://github.com/Maheshkumar-Kakade/otp-generator/issues/12
Security issue · Issue #12 · Maheshkumar-Kakade/otp-generator · GitHubIssue Tracking;Third Party Advisory
-
https://github.com/Maheshkumar-Kakade/otp-generator/commit/b27de1ce439ae7f533cec26677e9698671275b70
Changed Math.Random with crypto.randomInt · Maheshkumar-Kakade/otp-generator@b27de1c · GitHubPatch;Third Party Advisory
-
https://security.snyk.io/vuln/SNYK-JS-OTPGENERATOR-1655480
Insecure Randomness in otp-generator | CVE-2021-23451 | SnykIssue Tracking;Patch;Third Party Advisory
Jump to