Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03NjhtLTV3MzQtMnhmNc4AAtZ-
LTI 1.3 Tool Library's function used to generate random nonces not sufficiently cryptographically complex before v5.0
Impact
The function used to generate random nonces was not sufficiently cryptographically complex. As a result values may be predictable and tokens may be forgable.
Patches
Users should upgrade to version 5.0 immediately
Workarounds
None.
Permalink: https://github.com/advisories/GHSA-768m-5w34-2xf5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NjhtLTV3MzQtMnhmNc4AAtZ-
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 9 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-768m-5w34-2xf5, CVE-2022-31157
References:
- https://github.com/packbackbooks/lti-1-3-php-library/security/advisories/GHSA-768m-5w34-2xf5
- https://github.com/packbackbooks/lti-1-3-php-library/commit/de19e8a0b28cdc7750fa3ca98471eeed26ba3e57
- https://openid.net/specs/openid-connect-core-1_0.html#IDToken
- https://nvd.nist.gov/vuln/detail/CVE-2022-31157
- https://github.com/advisories/GHSA-768m-5w34-2xf5
Blast Radius: 1.0
Affected Packages
packagist:packbackbooks/lti-1-3-php-library
Affected Version Ranges: < 5.0Fixed in: 5.0