Insecure Randomness Affecting com.github.penggle:kaptcha package, versions [0,]
Snyk CVSS
Attack Complexity
High
Threat Intelligence
EPSS
0.36% (73rd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMGITHUBPENGGLE-72734
- published 25 Dec 2018
- disclosed 19 Oct 2018
- credit FanjunMeng
Introduced: 19 Oct 2018
CVE-2018-18531 Open this link in a new tabHow to fix?
There is no fixed version for com.github.penggle:kaptcha
.
Overview
com.github.penggle:kaptcha is a default output produces a google captcha.
Affected versions of this package are vulnerable to Insecure Randomness.
text/impl/DefaultTextCreator.java
, text/impl/ChineseTextProducer.java
, and text/impl/FiveLetterFirstNameTextCreator.java
in kaptcha
use the Random
(rather than SecureRandom
) function for generating CAPTCHA values, which makes it easier for remote attackers to bypass intended access restrictions via a brute-force approach.