Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJxOGctNXBjNS13cmhy
Insufficient Entropy in cryptiles
Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits() method does not provide sufficient entropy and its generates digits that are not evenly distributed.
Recommendation
Upgrade to version 4.1.2. The package is deprecated and has been moved to @hapi/cryptiles and it is strongly recommended to use the maintained package.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJxOGctNXBjNS13cmhy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 6 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00225
EPSS Percentile: 0.605
Identifiers: GHSA-rq8g-5pc5-wrhr, CVE-2018-1000620
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000620
- https://github.com/hapijs/cryptiles/issues/34
- https://github.com/advisories/GHSA-rq8g-5pc5-wrhr
- https://github.com/nodejs/security-wg/blob/master/vuln/npm/476.json
- https://www.npmjs.com/advisories/720
- https://www.npmjs.com/advisories/1464
- https://github.com/hapijs/cryptiles/commit/9332d4263a32b84e76bf538d7470d01ea63fa047
- https://github.com/hapijs/cryptiles/issues/35
- https://github.com/hapijs/cryptiles/commit/6bdcd0f6ee8ade96e7b30350bad39ee0c2ef0f9b
Blast Radius: 56.5
Affected Packages
npm:cryptiles
Dependent packages: 380Dependent repositories: 582,872
Downloads: 3,513,267 last month
Affected Version Ranges: >= 3.1.0, < 4.1.2
Fixed in: 4.1.2
All affected versions: 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.1, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1
All unaffected versions: 0.0.1, 0.0.2, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 1.0.0, 1.0.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 3.0.0, 3.0.1, 3.0.2, 4.1.2, 4.1.3