Insecure Randomness Affecting com.orientechnologies:orientdb-core package, versions (,2.1.11)
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMORIENTECHNOLOGIES-30333
- published 15 Jan 2016
- disclosed 15 Jan 2016
- credit Predrag Gruevski
Overview
com.orientechnologies:orientdb-core
The OServer.java
file is responsible for auto-generating passwords by using the variable new Random()
. This is Java's default random-number generator initialized with the current system time as a seed, which is not secure because it is easily predictable. The SecureRandom
random-number generator was used as a fix.