Weak 2FA Code Generation

2023-11-1605:56:08

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

weak code generation

python random module

one time codes

privacy and consent

cryptographically weak

pseudo-random number generator

identity verification process

backend process

security compromise

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

7.4

Confidence

Low

EPSS

0.001

Percentile

38.0%

JSON

Fides is vulnerable to Weak Code Generation. The vulnerability is due to the usage of the python random module used for generating one time codes in the Privacy and Consent request process which is considered to be a cryptographically weak pseudo-random number generator. This issue allows an attacker to predict future one time code values during the lifetime of the backend python process, compromising the security of the subject identity verification process.