Apache Syncope uses a weak PNRG

Description

Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Not specified
Published (advisory)
2022-05-14 02:52:41 UTC
Updated
2023-08-15 22:11:51 UTC
GitHub reviewed
2023-08-15 22:11:49 UTC
NVD published
2014-07-11

EPSS Score

Score Percentile
1.94% 82.87%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven org.apache.syncope:syncope >= 1.1.0, < 1.1.8 1.1.8

References

cvelogic Threat Intelligence