WS-2021-0120 (Medium) detected in github.com/Masterminds/goutils-v1.1.0 - autoclosed
mend-bolt-for-github opened this issue · comments
WS-2021-0120 - Medium Severity Vulnerability
Vulnerable Library - github.com/Masterminds/goutils-v1.1.0
GoUtils is a Go implementation of some string manipulation libraries of Apache Commons. This is an open source project aimed at providing Go users with utility functions to manipulate strings in various ways.
Library home page: https://proxy.golang.org/github.com/masterminds/goutils/@v/v1.1.0.zip
Dependency Hierarchy:
- github.com/Masterminds/sprig-v2.22.0+incompatible (Root Library)
- ❌ github.com/Masterminds/goutils-v1.1.0 (Vulnerable Library)
Found in HEAD commit: 2aada85674c55286335b211e44ebd8a6e4c394bb
Found in base branch: master
Vulnerability Details
A security-sensitive bug was discovered goutils before version 1.1.1.
The functions RandomAlphaNumeric(int) and CryptoRandomAlphaNumeric(int) are not as random as they should be. Small values of int in the functions above will return a smaller subset of results than they should. For example, RandomAlphaNumeric(1) will always return a digit in the 0-9 range, while RandomAlphaNumeric(4) will return around ~7 million of the ~13M possible permutations.
This is considered a security release because programs that rely upon random generators for passwords are at an increased risk of brute force-style password guessing. There is also a higher probability of collision.
The problem was the result of a mistaken regular expression that only accepted random strings if they contained a digit from [0-9]. That restriction has been removed.
Publish Date: 2021-05-21
URL: WS-2021-0120
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Step up your Open Source Security Game with Mend here
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.