Skip to content

Java: PRNG used when CSPRNG is required #30

Closed
@JLLeitschuh

Description

@JLLeitschuh

PRNG -> Pseudorandom Number Generator (predictably random)
CSPRNG -> Cryptographically Secure Pseudorandom Number Generator

CVE ID(s)

Most of these were not found using CodeQL. Most of them were found using GitHub's fuzzy code search.

I've got at least one CVE in flight for this currently.

Report

The goal of this query is to detect the use of a PRNG like java.util.Random, org.apache.commons.lang.RandomStringUtils, org.apache.commons.text.RandomStringGenerator, or java.util.concurrent.ThreadLocalRandom in a security sensitive context.
Security sensitive would be things like password reset URLs, token cookies, & temporary reset passwords.

This vulnerability can have up to a CVSSv3 score of 9.8/10 depending upon the use of the insecure data generated.

Query

The query can be found here: github/codeql#2694

Talk about the Query?

Sure, why not.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Metadata

Metadata

Assignees

No one assigned

    Labels

    All For OneSubmissions to the All for One, One for All bounty

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions