CVE-2021-4238Insufficient Entropy in Masterminds Goutils Github.com Masterminds Goutils

CWE-331Insufficient Entropy9 documents6 sources
Severity
9.1CRITICALNVD
EPSS
0.3%
top 42.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Github.com Masterminds Goutils Github.com Masterminds GoutilsGithub.com Masterminds GoutilsGoutils Project Goutils+5 more
Timeline
PublishedDec 27
Latest updateDec 28

Description

Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strings generated by these functions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages8 packages

Patches

Patch: github.comPatch: pkg.go.devPatch: github.com

🔴Vulnerability Details

5
OSV
Duplicate Advisory: GoUtils's randomly-generated alphanumeric strings contain significantly less entropy than expected2022-12-28
OSV
CVE-2021-4238: Randomly-generated alphanumeric strings contain significantly less entropy than expected2022-12-27
OSV
Insufficient randomness in github.com/Masterminds/goutils2022-07-01
OSV
RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be2021-05-21
GHSA
RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be2021-05-21

📋Vendor Advisories

3
Red Hat
goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be2022-12-27
Microsoft
Insufficient randomness in github.com/Masterminds/goutils2022-12-13
Debian
CVE-2021-4238: golang-github-masterminds-goutils - Randomly-generated alphanumeric strings contain significantly less entropy than ...2021