CWE-338
AllowedUse of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Abstraction: Base · Status: Draft
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
293 vulnerabilities reference this CWE, most recent first.
GHSA-6HHH-7CJ8-7MP2
Vulnerability from github – Published: 2026-02-24 00:31 – Updated: 2026-02-24 18:31Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions.
Smolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
Specifically Smolder::DB::Developer uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
{
"affected": [],
"aliases": [
"CVE-2024-58041"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-24T00:16:17Z",
"severity": "CRITICAL"
},
"details": "Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions.\n\nSmolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\n\nSpecifically Smolder::DB::Developer uses the Data::Random library which specifically states that it is \"Useful mostly for test programs\". Data::Random uses the rand() function.",
"id": "GHSA-6hhh-7cj8-7mp2",
"modified": "2026-02-24T18:31:01Z",
"published": "2026-02-24T00:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58041"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L221"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L5"
},
{
"type": "WEB",
"url": "https://perldoc.perl.org/functions/rand"
},
{
"type": "WEB",
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6P4W-GCXH-HF6C
Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key.
{
"affected": [],
"aliases": [
"CVE-2021-29245"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-05T13:15:00Z",
"severity": "MODERATE"
},
"details": "BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key.",
"id": "GHSA-6p4w-gcxh-hf6c",
"modified": "2022-05-24T19:01:25Z",
"published": "2022-05-24T19:01:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29245"
},
{
"type": "WEB",
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0"
},
{
"type": "WEB",
"url": "https://github.com/btcpayserver/btcpayserver/releases"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6QQF-VVCR-7QRV
Vulnerability from github – Published: 2019-05-23 09:27 – Updated: 2020-08-31 18:34Affected versions of generate-password generate random values that are biased towards certain characters depending on the chosen character sets. This may result in guessable passwords.
Recommendation
Update to version 1.4.1 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "generate-password"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": true,
"github_reviewed_at": "2019-05-23T07:38:39Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Affected versions of generate-password generate random values that are biased towards certain characters depending on the chosen character sets. This may result in guessable passwords.\n\n\n## Recommendation\n\nUpdate to version 1.4.1 or later.\n",
"id": "GHSA-6qqf-vvcr-7qrv",
"modified": "2020-08-31T18:34:48Z",
"published": "2019-05-23T09:27:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/brendanashworth/generate-password/pull/26"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/762"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Cryptographically Weak PRNG in generate-password"
}
GHSA-72P8-V4HG-V45P
Vulnerability from github – Published: 2022-06-01 19:50 – Updated: 2022-06-15 18:57During an X25519 key exchange, the client’s private is generated with System.Random:
var rnd = new Random();
_privateKey = new byte[MontgomeryCurve25519.PrivateKeySizeInBytes];
rnd.NextBytes(_privateKey);
Source: KeyExchangeECCurve25519.cs
Source commit: https://github.com/sshnet/SSH.NET/commit/b58a11c0da55da1f5bad46faad2e9b71b7cb35b3
System.Random is not a cryptographically secure random number generator, it must therefore not be used for cryptographic purposes.
Impact
When establishing an SSH connection to a remote host, during the X25519 key exchange, the private key is generated with a weak random number generator whose seed can be bruteforced. This allows an attacker able to eavesdrop the communications to decrypt them.
Workarounds
To ensure you're not affected by this vulnerability, you can disable support for curve25519-sha256 and curve25519-sha256@libssh.org key exchange algorithms by invoking the following method before a connection is established:
private static void RemoveUnsecureKEX(BaseClient client)
{
client.ConnectionInfo.KeyExchangeAlgorithms.Remove("curve25519-sha256");
client.ConnectionInfo.KeyExchangeAlgorithms.Remove("curve25519-sha256@libssh.org");
}
Thanks
This issue was initially reported by Siemens AG, Digital Industries, shortly followed by @yaumn-synacktiv.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "SSH.NET"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2020.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29245"
],
"database_specific": {
"cwe_ids": [
"CWE-330",
"CWE-338"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-01T19:50:15Z",
"nvd_published_at": "2022-05-31T17:15:00Z",
"severity": "MODERATE"
},
"details": "During an **X25519** key exchange, the client\u2019s private is generated with [**System.Random**](https://docs.microsoft.com/en-us/dotnet/api/system.random):\n\n```cs\nvar rnd = new Random();\n_privateKey = new byte[MontgomeryCurve25519.PrivateKeySizeInBytes];\nrnd.NextBytes(_privateKey);\n```\n\nSource: [KeyExchangeECCurve25519.cs](https://github.com/sshnet/SSH.NET/blob/bc99ada7da3f05f50d9379f2644941d91d5bf05a/src/Renci.SshNet/Security/KeyExchangeECCurve25519.cs#L51) \nSource commit: https://github.com/sshnet/SSH.NET/commit/b58a11c0da55da1f5bad46faad2e9b71b7cb35b3\n\n[**System.Random**](https://docs.microsoft.com/en-us/dotnet/api/system.random) is not a cryptographically secure random number generator, it must therefore not be used for cryptographic purposes.\n\n### Impact\nWhen establishing an SSH connection to a remote host, during the X25519 key exchange, the private key is generated with\na weak random number generator whose seed can be bruteforced. This allows an attacker able to eavesdrop the\ncommunications to decrypt them.\n\n### Workarounds\nTo ensure you\u0027re not affected by this vulnerability, you can disable support for `curve25519-sha256` and `curve25519-sha256@libssh.org` key exchange algorithms by invoking the following method before a connection is established:\n```cs\nprivate static void RemoveUnsecureKEX(BaseClient client)\n{\n client.ConnectionInfo.KeyExchangeAlgorithms.Remove(\"curve25519-sha256\");\n client.ConnectionInfo.KeyExchangeAlgorithms.Remove(\"curve25519-sha256@libssh.org\");\n}\n```\n\n### Thanks\n\nThis issue was initially reported by **Siemens AG, Digital Industries**, shortly followed by @yaumn-synacktiv.",
"id": "GHSA-72p8-v4hg-v45p",
"modified": "2022-06-15T18:57:58Z",
"published": "2022-06-01T19:50:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sshnet/SSH.NET/security/advisories/GHSA-72p8-v4hg-v45p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29245"
},
{
"type": "WEB",
"url": "https://github.com/sshnet/SSH.NET/commit/03c6d60736b8f7b42e44d6989a53f9b644a091fb"
},
{
"type": "WEB",
"url": "https://github.com/sshnet/SSH.NET/commit/f1f273cf349532b9d41c1de51d3b83a9accedc88"
},
{
"type": "PACKAGE",
"url": "https://github.com/sshnet/SSH.NET"
},
{
"type": "WEB",
"url": "https://github.com/sshnet/SSH.NET/blob/bc99ada7da3f05f50d9379f2644941d91d5bf05a/src/Renci.SshNet/Security/KeyExchangeECCurve25519.cs#L51"
},
{
"type": "WEB",
"url": "https://github.com/sshnet/SSH.NET/releases/tag/2020.0.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Weak private key generation in SSH.NET"
}
GHSA-75V8-2H7P-7M2M
Vulnerability from github – Published: 2025-04-26 21:31 – Updated: 2025-05-27 18:49Formidable (aka node-formidable) 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "formidable"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.1-canary.20211030"
},
{
"fixed": "3.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "formidable"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-46653"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-29T14:07:17Z",
"nvd_published_at": "2025-04-26T21:15:14Z",
"severity": "LOW"
},
"details": "Formidable (aka node-formidable) 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not \"cryptographically secure.\" (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.",
"id": "GHSA-75v8-2h7p-7m2m",
"modified": "2025-05-27T18:49:20Z",
"published": "2025-04-26T21:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46653"
},
{
"type": "WEB",
"url": "https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5"
},
{
"type": "WEB",
"url": "https://github.com/node-formidable/formidable/commit/37a3e89fca1ed68ec674a539f13aafd62221ddaa"
},
{
"type": "PACKAGE",
"url": "https://github.com/node-formidable/formidable"
},
{
"type": "WEB",
"url": "https://github.com/node-formidable/formidable/blob/d0fbec13edc8add54a1afb9ce1a8d3db803f8d47/CHANGELOG.md?plain=1#L10"
},
{
"type": "WEB",
"url": "https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/formidable/v/2.1.3"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/formidable/v/3.5.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content"
}
GHSA-7F2Q-MWC4-6QVX
Vulnerability from github – Published: 2025-04-16 03:30 – Updated: 2025-04-16 03:30Delta Electronics COMMGR v1 and v2 uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID and load and execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2025-3495"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-16T03:15:17Z",
"severity": "CRITICAL"
},
"details": "Delta Electronics COMMGR v1 and v2\u00a0uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID and load and execute arbitrary code.",
"id": "GHSA-7f2q-mwc4-6qvx",
"modified": "2025-04-16T03:30:24Z",
"published": "2025-04-16T03:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3495"
},
{
"type": "WEB",
"url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00005_COMMGR%20-%20Insufficient%20Randomization%20Authentication%20Bypass_v1.pdf"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7R2J-HGH9-JQQX
Vulnerability from github – Published: 2026-03-28 21:33 – Updated: 2026-03-31 21:31Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions.
In versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
Before version 6.06, there was no fallback when /dev/urandom was not available.
Before version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string.
This function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection.
{
"affected": [],
"aliases": [
"CVE-2025-15604"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-28T19:16:53Z",
"severity": "CRITICAL"
},
"details": "Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions.\n\nIn versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nBefore version 6.06, there was no fallback when /dev/urandom was not available.\n\nBefore version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string.\n\nThis function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection.",
"id": "GHSA-7r2j-hgh9-jqqx",
"modified": "2026-03-31T21:31:18Z",
"published": "2026-03-28T21:33:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15604"
},
{
"type": "WEB",
"url": "https://github.com/tokuhirom/Amon/pull/135"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/TOKUHIROM/Amon2-6.17/changes"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/TOKUHIROM/Amon2-6.17/diff/TOKUHIROM/Amon2-6.16#lib/Amon2/Util.pm"
},
{
"type": "WEB",
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/03/28/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RQ2-V6RC-96JW
Vulnerability from github – Published: 2026-03-31 12:31 – Updated: 2026-03-31 21:31Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.
Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.
This key is intended for encrypting credit card transaction data.
{
"affected": [],
"aliases": [
"CVE-2025-15618"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-31T11:16:11Z",
"severity": "CRITICAL"
},
"details": "Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.\n\nBusiness::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.\n\nThis key is intended for encrypting credit card transaction data.",
"id": "GHSA-7rq2-v6rc-96jw",
"modified": "2026-03-31T21:31:18Z",
"published": "2026-03-31T12:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15618"
},
{
"type": "WEB",
"url": "https://metacpan.org/dist/Business-OnlinePayment-StoredTransaction/source/lib/Business/OnlinePayment/StoredTransaction.pm#L64-75"
},
{
"type": "WEB",
"url": "https://security.metacpan.org/patches/B/Business-OnlinePayment-StoredTransaction/0.01/CVE-2025-15618-r1.patch"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/03/31/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7VRC-HC62-3F49
Vulnerability from github – Published: 2024-09-26 18:31 – Updated: 2024-10-07 15:31The goTenna Pro series does not use SecureRandom when generating its cryptographic keys. The random function in use is not suitable for cryptographic use.
{
"affected": [],
"aliases": [
"CVE-2024-47126"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T18:15:09Z",
"severity": "HIGH"
},
"details": "The goTenna Pro series does not use SecureRandom when generating its cryptographic keys. The random function in use is not suitable for cryptographic use.",
"id": "GHSA-7vrc-hc62-3f49",
"modified": "2024-10-07T15:31:38Z",
"published": "2024-09-26T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47126"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-82VR-5769-6358
Vulnerability from github – Published: 2023-11-16 14:33 – Updated: 2023-11-16 14:33Impact
The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application.
Privacy requests allow data subjects to submit a request to access all person data held by the data controller, or delete/erase it. Consent request allows data subject users to modify their privacy preferences for how the data controller uses their personal data e.g. data sales and sharing consent opt-in/opt-out.
If subject_identity_verification_required in the [execution] section of fides.toml or the env var FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED is set to True on the fides webserver backend, data subjects are sent a one-time code to their email address or phone number, depending on messaging configuration, and the one-time code must be entered in the Privacy Center UI by the data subject before the privacy or consent request is submitted.
It was identified that the one-time code values for these requests were generated by the python random module, a cryptographically weak pseduo-random number generator (PNRG). If an attacker generates several hundred consecutive one-time codes, this vulnerability allows the attacker to predict all future one-time code values during the lifetime of the backend python process.
There is no security impact on data access requests as the personal data download package is not shared in the Privacy Center itself. However, this vulnerability allows an attacker to (i) submit a verified data erasure request, resulting in deletion of data for the targeted user and (ii) submit a verified consent request, modifying a user's privacy preferences.
Patches
The vulnerability has been patched in Fides version 2.24.0. Users are advised to upgrade to this version or later to secure their systems against this threat.
Workarounds
None
References
- https://peps.python.org/pep-0506/
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ethyca-fides"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-48224"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-16T14:33:06Z",
"nvd_published_at": "2023-11-15T21:15:08Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application.\n\nPrivacy requests allow data subjects to submit a request to access all person data held by the data controller, or delete/erase it. Consent request allows data subject users to modify their privacy preferences for how the data controller uses their personal data e.g. data sales and sharing consent opt-in/opt-out.\n\nIf `subject_identity_verification_required` in the `[execution]` section of `fides.toml` or the env var `FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED` is set to `True` on the fides webserver backend, data subjects are sent a one-time code to their email address or phone number, depending on messaging configuration, and the one-time code must be entered in the Privacy Center UI by the data subject before the privacy or consent request is submitted.\n\nIt was identified that the one-time code values for these requests were generated by the python `random` module, a cryptographically weak pseduo-random number generator (PNRG). If an attacker generates several hundred consecutive one-time codes, this vulnerability allows the attacker to predict all future one-time code values during the lifetime of the backend python process.\n\nThere is no security impact on data access requests as the personal data download package is not shared in the Privacy Center itself. However, this vulnerability allows an attacker to (i) submit a verified data erasure request, resulting in deletion of data for the targeted user and (ii) submit a verified consent request, modifying a user\u0027s privacy preferences.\n\n### Patches\nThe vulnerability has been patched in Fides version `2.24.0`. Users are advised to upgrade to this version or later to secure their systems against this threat.\n\n### Workarounds\nNone\n\n### References\n* https://peps.python.org/pep-0506/",
"id": "GHSA-82vr-5769-6358",
"modified": "2023-11-16T14:33:06Z",
"published": "2023-11-16T14:33:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-82vr-5769-6358"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48224"
},
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6"
},
{
"type": "PACKAGE",
"url": "https://github.com/ethyca/fides"
},
{
"type": "WEB",
"url": "https://peps.python.org/pep-0506"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Ethyca Fides Cryptographically Weak Generation of One-Time Codes for Identity Verification"
}
Mitigation
Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.
No CAPEC attack patterns related to this CWE.