GHSA-mhhf-vgwh-fw9h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mhhf-vgwh-fw9h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-mhhf-vgwh-fw9h/GHSA-mhhf-vgwh-fw9h.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-mhhf-vgwh-fw9h
- Aliases
- Related
- Published
- 2022-12-06T21:13:32Z
- Modified
- 2024-10-09T20:24:25.616923Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Passeo uses insecure random number generator
- Details
-
Impact
Everyone below v1.0.5 is impacted by this flaw, of confidentiality being at risk due to the password(s) being easily able to be guessed with Passeo's use of the
randomlibrary. It is recommended to change any passwords made with Passeo before v1.0.5 and upgrade to v1.0.5, and v1.0.5 patches this with thesecretslibrary.Workarounds
No current workaround available than updating to v1.0.5.
- Database specific
{ "nvd_published_at": "2022-12-06T18:15:00Z", "cwe_ids": [ "CWE-338" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-12-06T21:13:32Z" }- References
-
- https://github.com/ArjunSharda/Passeo/security/advisories/GHSA-mhhf-vgwh-fw9h
- https://nvd.nist.gov/vuln/detail/CVE-2022-23472
- https://github.com/ArjunSharda/Passeo/commit/8caa798b6bc4647dca59b2376204b6dc6176361a
- https://github.com/ArjunSharda/Passeo
- https://github.com/pypa/advisory-database/tree/main/vulns/passeo/PYSEC-2022-42997.yaml
- https://peps.python.org/pep-0506
Affected packages
PyPI / passeo
Package
- Name
- passeo
- View open source insights on deps.dev
- Purl
- pkg:pypi/passeo