CVE-2018-1000620

EUVD-2018-0467
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
Affected Products (NVD)
VendorProductVersion
cryptiles_projectcryptiles
𝑥
< 3.1.3
cryptiles_projectcryptiles
4.1.0 ≤
𝑥
< 4.1.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/hapijs/cryptiles/issues/34
https://github.com/hapijs/cryptiles/issues/35
https://github.com/hapijs/cryptiles/issues/34
https://github.com/hapijs/cryptiles/issues/35