Improper random number generation in nanorand · CVE-2020-35926 · GitHub Advisory Database · GitHub

Improper random number generation in nanorand

Moderate severity GitHub Reviewed Published Aug 25, 2021 to the GitHub Advisory Database • Updated Jun 13, 2023

Package

nanorand (Rust)

Affected versions

< 0.5.1

Patched versions

0.5.1

Description

In versions of nanorand prior to 0.5.1, RandomGen implementations for standard unsigned integers could fail to properly generate numbers, due to using bit-shifting to truncate a 64-bit number, rather than just an as conversion. This often manifested as RNGs returning nothing but 0, including the cryptographically secure ChaCha random number generator.

References

Reviewed Aug 19, 2021

Published to the GitHub Advisory Database Aug 25, 2021

Last updated Jun 13, 2023

Severity

Moderate

5.1

/ 10

CVSS base metrics

Attack vector

Local

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N