| id: GO-2022-0411 |
| modules: |
| - module: github.com/Masterminds/goutils |
| versions: |
| - fixed: 1.1.1 |
| vulnerable_at: 1.1.0 |
| packages: |
| - package: github.com/Masterminds/goutils |
| symbols: |
| - RandomAlphaNumeric |
| - CryptoRandomAlphaNumeric |
| summary: Insufficient randomness in github.com/Masterminds/goutils |
| description: |- |
| Randomly-generated alphanumeric strings contain significantly less entropy than |
| expected. |
| |
| The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return |
| strings containing at least one digit from 0 to 9. This significantly reduces |
| the amount of entropy in short strings generated by these functions. |
| published: 2022-07-01T20:08:24Z |
| ghsas: |
| - GHSA-3839-6r69-m497 |
| - GHSA-xg2h-wx96-xgxr |
| references: |
| - fix: https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1 |
| cve_metadata: |
| id: CVE-2021-4238 |
| cwe: 'CWE 330: Use of Insufficiently Random Values' |
| review_status: REVIEWED |