Lucene search

GitHub Advisory DatabaseGHSA-4C72-MRHF-23CG

HistoryMay 14, 2022 - 2:52 a.m.

Apache Syncope uses a weak PNRG

2022-05-1402:52:41

CWE-338

GitHub Advisory Database

github.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.008 Low

EPSS

Percentile

81.3%

JSON

Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Affected configurations

Vulners

Node

org.apache.syncope\Matchsyncope

CPENameOperatorVersion
org.apache.syncope:syncopelt1.1.8

CPE	Name	Operator	Version
	org.apache.syncope:syncope	lt	1.1.8

References

packetstormsecurity.com/files/127375/Apache-Syncope-Insecure-Password-Generation.html

svn.apache.org/viewvc?view=revision&revision=r1596537

github.com/advisories/GHSA-4c72-mrhf-23cg

github.com/apache/syncope/commit/8e0045925a387ee211832c7e0709dd418cda1ad3

nvd.nist.gov/vuln/detail/CVE-2014-3503

syncope.apache.org/security.html#cve-2014-3503-insecure-random-implementations-used-to-generate-p

web.archive.org/web/20140728093808/www.securityfocus.com/bid/68431

web.archive.org/web/20201207014021/www.securityfocus.com/archive/1/532669/100/0/threaded

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.008 Low

EPSS

Percentile

81.3%

JSON

Related for GHSA-4C72-MRHF-23CG