CVE-2021-23566 — Incorrect Type Conversion or Cast in Project Nanoid

CWE-704 — Incorrect Type Conversion or Cast CWE-212 — Improper Removal of Sensitive Information Before Storage or Transfer CWE-200 — Sensitive Information Exposure6 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 92.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nanoid Project Nanoid Debian Node-mocha Debian Node-postcss

Timeline

PublishedJan 14

Latest updateJan 21

Description

The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5nanoid_project/nanoidunspecified — 3.1.31

▶NVDnanoid_project/nanoid3.0.0 — 3.1.31

▶npmnanoid_project/nanoid3.0.0 — 3.1.31

▶debiandebian/node-mocha< node-mocha 9.1.4+ds1+~cs28.2.8-1 (bookworm)

▶debiandebian/node-postcss< node-mocha 9.1.4+ds1+~cs28.2.8-1 (bookworm)

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Exposure of Sensitive Information to an Unauthorized Actor in nanoid↗2022-01-21

▶

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in nanoid↗2022-01-21

▶

OSV

CVE-2021-23566: The package nanoid from 3↗2022-01-14

▶

📋Vendor Advisories

Red Hat

nanoid: Information disclosure via valueOf() function↗2022-01-21

▶

Debian

CVE-2021-23566: node-mocha - The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Ex...↗2021

▶