Description
PRNG -> Pseudorandom Number Generator (predictably random)
CSPRNG -> Cryptographically Secure Pseudorandom Number Generator
CVE ID(s)
- Ratpack/Ratpack: CVE-2019-11808
- Apereo/Apereo CAS: CVE-2019-10754 & CVE-2019-10754
- pac4j/saml: CVE-2019-10755
- streamr-dev/engine-and-editor (No CVE, not distributed)
- JHipster/generator-jhipster: CVE-2019-16303
- Since this was in a code generator, there are now
⚠️ 14.6k repositories⚠️ on GitHub with this vulnerability.
- Since this was in a code generator, there are now
Most of these were not found using CodeQL. Most of them were found using GitHub's fuzzy code search.
I've got at least one CVE in flight for this currently.
Report
The goal of this query is to detect the use of a PRNG like java.util.Random, org.apache.commons.lang.RandomStringUtils
, org.apache.commons.text.RandomStringGenerator
, or java.util.concurrent.ThreadLocalRandom
in a security sensitive context.
Security sensitive would be things like password reset URLs, token cookies, & temporary reset passwords.
This vulnerability can have up to a CVSSv3 score of 9.8/10 depending upon the use of the insecure data generated.
Query
The query can be found here: github/codeql#2694
Talk about the Query?
Sure, why not.
- Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing