data/reports/GO-2022-0411.yaml - vulndb - Git at Google

 id: GO-2022-0411
 modules:
     - module: github.com/Masterminds/goutils
       versions:
         - fixed: 1.1.1
       vulnerable_at: 1.1.0
       packages:
         - package: github.com/Masterminds/goutils
           symbols:
             - RandomAlphaNumeric
             - CryptoRandomAlphaNumeric
 summary: Insufficient randomness in github.com/Masterminds/goutils
 description: |-
     Randomly-generated alphanumeric strings contain significantly less entropy than
     expected.

     The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return
     strings containing at least one digit from 0 to 9. This significantly reduces
     the amount of entropy in short strings generated by these functions.
 published: 2022-07-01T20:08:24Z
 ghsas:
     - GHSA-3839-6r69-m497
     - GHSA-xg2h-wx96-xgxr
 references:
     - fix: https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1
 cve_metadata:
     id: CVE-2021-4238
     cwe: 'CWE 330: Use of Insufficiently Random Values'
	id: GO-2022-0411
	modules:
	- module: github.com/Masterminds/goutils
	versions:
	- fixed: 1.1.1
	vulnerable_at: 1.1.0
	packages:
	- package: github.com/Masterminds/goutils
	symbols:
	- RandomAlphaNumeric
	- CryptoRandomAlphaNumeric
	summary: Insufficient randomness in github.com/Masterminds/goutils
	description: \|-
	Randomly-generated alphanumeric strings contain significantly less entropy than
	expected.

	The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return
	strings containing at least one digit from 0 to 9. This significantly reduces
	the amount of entropy in short strings generated by these functions.
	published: 2022-07-01T20:08:24Z
	ghsas:
	- GHSA-3839-6r69-m497
	- GHSA-xg2h-wx96-xgxr
	references:
	- fix: https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1
	cve_metadata:
	id: CVE-2021-4238
	cwe: 'CWE 330: Use of Insufficiently Random Values'