CVE-2016-1902 — Insufficient Entropy in PRNG in Security

CWE-310 CWE-332 — Insufficient Entropy in PRNG8 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 39.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Symfony Security Symfony Security-core +2 more

Timeline

PublishedJun 1

Latest updateMay 17

Description

The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶Packagistsymfony/symfony2.3.0 — 2.3.37+2

▶Packagistsymfony/security2.3.0 — 2.3.37+2

▶Packagistsymfony/security-core2.4.0 — 2.6.13+1

▶Debiansymfony/symfony< 2.7.9+dfsg-1+3

▶NVDsensiolabs/symfony2.3.36+22

Also affects: Debian Linux 8.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Symfony Cryptographic Vulnerability↗2022-05-17

▶

GHSA

Symfony Cryptographic Vulnerability↗2022-05-17

▶

OSV

CVE-2016-1902: The nextBytes function in the SecureRandom class in Symfony before 2↗2016-06-01

▶

CVEList

CVE-2016-1902: The nextBytes function in the SecureRandom class in Symfony before 2↗2016-06-01

▶

📋Vendor Advisories

Debian

CVE-2016-1902: symfony - The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x...↗2016

▶

💬Community

Bugzilla

CVE-2016-1902 php-symfony: SecureRandom's fallback not secure when OpenSSL fails↗2016-05-30

▶

Bugzilla

CVE-2016-1902 php-symfony: SecureRandom's fallback not secure when OpenSSL fails [epel-6]↗2016-05-30

▶