Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CVE-2022-23472

High

7.5/10

Summary

Passeo is an open source python password generator. Versions 1.0.2 through 1.0.4 rely on the python `random` library for random value selection. The python `random` library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator. As a result a motivated attacker may be able to guess generated passwords. This issue has been addressed in version 1.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

References

Advisory Timeline

Published Dec 06, 2022

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CVE-2022-23472

Summary

CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS