random_compat Uses insecure CSPRNG
Low severity
GitHub Reviewed
Published
May 17, 2024
to the GitHub Advisory Database
•
Updated May 17, 2024
Description
Published to the GitHub Advisory Database
May 17, 2024
Reviewed
May 17, 2024
Last updated
May 17, 2024
random_compat versions prior to 2.0 are affected by a security vulnerability related to the insecure usage of Cryptographically Secure Pseudo-Random Number Generators (CSPRNG). The affected versions use openssl_random_pseudo_bytes(), which may result in insufficient entropy and compromise the security of generated random numbers.
References