GMS-2022-3787: Duplicate of ./npm/nodebb/CVE-2022-36045.yml

August 30, 2022

utils.generateUUID, a helper function available in essentially all versions of NodeBB (as far back as v1.0.1 and potentially earlier) used a cryptographically insecure Pseudo-random number generator (Math.random()), which meant that a specially crafted script combined with multiple invocations of the password reset functionality could enable an attacker to correctly calculate the reset code for an account they do not have access to.

References

github.com/NodeBB/NodeBB/commit/81e3c1ba488d03371a5ce8d0ebb5c5803026e0f9
github.com/NodeBB/NodeBB/security/advisories/GHSA-p4cc-w597-6cpm
github.com/advisories/GHSA-p4cc-w597-6cpm

Code Behaviors & Features

Detect and mitigate GMS-2022-3787 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →