Insufficient Entropy

CVE-2021-4238

High

9.1/10

Summary

The package github.com/Masterminds/goutils versions prior to 1.1.1 is vulnerable to Insufficient Entropy. Randomly-generated alphanumeric strings contain significantly less entropy than expected. The 'RandomAlphaNumeric' and 'CryptoRandomAlphaNumeric' functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strings generated by these functions.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-331 - Insufficient Entropy

The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

References

Advisory
Advisory
Release Note
Advisory

Advisory Timeline

Published Dec 27, 2022

Insufficient Entropy

CVE-2021-4238

Summary

CWE-331 - Insufficient Entropy

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS