Cryptographic Backdoor

Affecting generate-password package, versions <1.4.1

Overview

generate-password is a relatively extensive library for generating random and unique passwords.

Affected versions of this package are vulnerable to Cryptographic Backdoor. It generates random values that are biased towards certain characters depending on the chosen character sets. This may result in guessable passwords.

Remediation

Upgrade generate-password to version 1.4.1 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

5.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Credit
Unknown
CWE
CWE-310
Snyk ID
SNYK-JS-GENERATEPASSWORD-73498
Disclosed
14 Dec, 2018
Published
10 Jan, 2019