Insecure Randomness Affecting cryptiles package, versions >=3.1.0 <3.1.3 >=4.0.0 <4.1.2
Threat Intelligence
EPSS
0.21% (59th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:cryptiles:20180710
- published 19 Jul 2018
- disclosed 9 Jul 2018
- credit Microsoft Vulnerability Research
Introduced: 9 Jul 2018
CVE-2018-1000620 Open this link in a new tabHow to fix?
Upgrade to versions 3.1.3, 4.1.2 and higher.
Overview
cryptiles is a package for general crypto utilities.
Affected versions of this package are vulnerable to Insecure Randomness. The randomDigits()
method is supposed to return a cryptographically strong pseudo-random data string, but it was biased to certain digits. An attacker could be able to guess the created digits.
CVSS Scores
version 3.1