CVE-2019-11842 — Use of Cryptographically Weak Pseudo-Random Number Generator in Sydent

CWE-338 — Use of Cryptographically Weak Pseudo-Random Number Generator9 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 32.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Matrix Sydent Matrix Synapse

Timeline

PublishedMay 9

Latest updateMay 16

Description

An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDmatrix/sydent< 1.0.3

▶NVDmatrix/synapse< 0.99.3.1

🔴Vulnerability Details

OSV

matrix-synapse vulnerabilities↗2023-05-16

▶

OSV

matrix-sydent and matrix-synapse Use Cryptographically Weak PRNG↗2022-05-24

▶

GHSA

matrix-sydent and matrix-synapse Use Cryptographically Weak PRNG↗2022-05-24

▶

OSV

CVE-2019-11842: An issue was discovered in Matrix Sydent before 1↗2019-05-09

▶

CVEList

CVE-2019-11842: An issue was discovered in Matrix Sydent before 1↗2019-05-09

▶

📋Vendor Advisories

Ubuntu

Synapse vulnerabilities↗2023-05-16

▶

Debian

CVE-2019-11842: matrix-synapse - An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3....↗2019

▶

💬Community

Bugzilla

CVE-2019-9948 python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms↗2019-04-03

▶