CRITICAL 9.8 npm
Insufficient Entropy in cryptiles
GHSA-rq8g-5pc5-wrhr · CVE-2018-1000620
Published · Modified
Description
Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits() method does not provide sufficient entropy and its generates digits that are not evenly distributed.
Recommendation
Upgrade to version 4.1.2. The package is deprecated and has been moved to @hapi/cryptiles and it is strongly recommended to use the maintained package.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2018-1000620
- WEB https://github.com/hapijs/cryptiles/issues/34
- WEB https://github.com/hapijs/cryptiles/issues/35
- WEB https://github.com/hapijs/cryptiles/commit/6bdcd0f6ee8ade96e7b30350bad39ee0c2ef0f9b
- WEB https://github.com/hapijs/cryptiles/commit/9332d4263a32b84e76bf538d7470d01ea63fa047
- WEB https://github.com/hapijs/cryptiles/commit/cb6bd642816e0cb8341d2b3896fd9e7c57e94f56
- PACKAGE https://github.com/hapijs/cryptiles
- WEB https://github.com/nodejs/security-wg/blob/master/vuln/npm/476.json
- WEB https://www.npmjs.com/advisories/1464
- WEB https://www.npmjs.com/advisories/720
Ready to move
Start Securing
Free, no credit card | First findings in minutes