Use of insecure random number generator in Passeo
CVE-2022-23472

5.9MEDIUM

Key Information:

Vendor

Arjunsharda

Status
Passeo
Vendor
CVE Published:
6 December 2022

What is CVE-2022-23472?

Passeo is an open source python password generator. Versions prior to 1.0.5 rely on the python random library for random value selection. The python random library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator. As a result a motivated attacker may be able to guess generated passwords. This issue has been addressed in version 1.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Version(s)

Passeo < 1.0.5

References

https://github.com/ArjunSharda/Passeo/security/advisories...
x_refsource_CONFIRM
https://github.com/ArjunSharda/Passeo/commit/8caa798b6bc4...
x_refsource_MISC
https://peps.python.org/pep-0506/
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.