CVE-2018-1000620

ADVISORY - github

Summary

Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits() method does not provide sufficient entropy and its generates digits that are not evenly distributed.

Recommendation

Upgrade to version 4.1.2. The package is deprecated and has been moved to @hapi/cryptiles and it is strongly recommended to use the maintained package.

EPSS Score⁠: 0.00374 (0.584)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-331⁠

Insufficient Entropy

ADVISORY - github

CWE-331⁠

Insufficient Entropy

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-331⁠

Insufficient Entropy

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-330⁠

Use of Insufficiently Random Values

Impacted images

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.