CVE-2018-1000620: Insufficient Entropy in cryptiles
(updated )
Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits() method does not provide sufficient entropy and its generates digits that are not evenly distributed.
References
- github.com/advisories/GHSA-rq8g-5pc5-wrhr
- github.com/hapijs/cryptiles/commit/6bdcd0f6ee8ade96e7b30350bad39ee0c2ef0f9b
- github.com/hapijs/cryptiles/commit/9332d4263a32b84e76bf538d7470d01ea63fa047
- github.com/hapijs/cryptiles/commit/cb6bd642816e0cb8341d2b3896fd9e7c57e94f56
- github.com/hapijs/cryptiles/issues/34
- github.com/hapijs/cryptiles/issues/35
- github.com/nodejs/security-wg/blob/master/vuln/npm/476.json
- nvd.nist.gov/vuln/detail/CVE-2018-1000620
- www.npmjs.com/advisories/1464
- www.npmjs.com/advisories/720
Code Behaviors & Features
Detect and mitigate CVE-2018-1000620 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →