Insecure Randomness

Affecting github.com/satori/go.uuid package, versions =1.2.0

Do your applications use this vulnerable package? Test your applications

Overview

github.com/satori/go.uuid provides pure Go implementation of Universally Unique Identifier (UUID).

Affected versions of this package are vulnerable to Insecure Randomness producing predictable UUID identifiers due to the limited number of bytes read when using the g.rand.Read function.

Disclosure Timeline

Remediation

A fix was merged into the master branch but not yet published.

References

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
josselin-c
CWE
CWE-338
Snyk ID
SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
Disclosed
23 Mar, 2018
Published
24 Oct, 2018