Use of Insufficiently Random Values Affecting npm package, versions <1:9.5.0-1.18.14.2.3.module+el8.8.0+21122+857852f8
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ORACLE8-NPM-5798215
- published 15 Jun 2023
- disclosed 25 May 2023
Introduced: 25 May 2023
CVE-2023-31124 Open this link in a new tabHow to fix?
Upgrade Oracle:8 npm to version 1:9.5.0-1.18.14.2.3.module+el8.8.0+21122+857852f8 or higher.
This issue was patched in ELSA-2023-4035.
NVD Description
Note: Versions mentioned in the description apply only to the upstream npm package and not the npm package as distributed by Oracle.
See How to fix? for Oracle:8 relevant fixed versions and status.
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
References
- https://linux.oracle.com/cve/CVE-2023-31124.html
- https://linux.oracle.com/errata/ELSA-2023-3577.html
- https://linux.oracle.com/errata/ELSA-2023-3586.html
- https://linux.oracle.com/errata/ELSA-2023-4034.html
- https://linux.oracle.com/errata/ELSA-2023-4035.html
- https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1
- https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/
- https://security.gentoo.org/glsa/202310-09