Vulnerable Library - github.com/Masterminds/goutils-v1.1.0

GoUtils is a Go implementation of some string manipulation libraries of Apache Commons. This is an open source project aimed at providing Go users with utility functions to manipulate strings in various ways.

Library home page: https://proxy.golang.org/github.com/masterminds/goutils/@v/v1.1.0.zip

Dependency Hierarchy:

• github.com/Masterminds/sprig-v2.22.0+incompatible (Root Library)
  • ❌ github.com/Masterminds/goutils-v1.1.0 (Vulnerable Library)

Found in HEAD commit: 2aada85674c55286335b211e44ebd8a6e4c394bb

Found in base branch: master

Vulnerability Details

A security-sensitive bug was discovered goutils before version 1.1.1.

The functions RandomAlphaNumeric(int) and CryptoRandomAlphaNumeric(int) are not as random as they should be. Small values of int in the functions above will return a smaller subset of results than they should. For example, RandomAlphaNumeric(1) will always return a digit in the 0-9 range, while RandomAlphaNumeric(4) will return around ~7 million of the ~13M possible permutations.

This is considered a security release because programs that rely upon random generators for passwords are at an increased risk of brute force-style password guessing. There is also a higher probability of collision.

The problem was the result of a mistaken regular expression that only accepted random strings if they contained a digit from [0-9]. That restriction has been removed.

Publish Date: 2021-05-21

URL: WS-2021-0120

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-21

Fix Resolution: v1.1.1