Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CVE-2019-11842

High

7.5/10

Summary

An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

References

Advisory
Pull request
Advisory
Release Note
Pull request
Release Note

Advisory Timeline

Published May 09, 2019

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CVE-2019-11842

Summary

CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS