Miggo Logo

CVE-2019-8113:
Magento 2 Community Weak PRNG

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.28629%
Published
5/24/2022
Updated
2/2/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.2.0, < 2.2.102.2.10
magento/community-editioncomposer>= 2.3.0, < 2.3.2-p12.3.2-p1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly states weak PRNG usage for confirmation codes. In PHP contexts, mt_rand() is a common weak generator. Magento's customer registration flow would generate confirmation codes in the Customer module. The AccountConfirmation model is a logical location for this functionality. The high confidence comes from: 1) Direct CWE-338 alignment with weak PRNG usage 2) PHP's mt_rand() being a known non-cryptographic function 3) The security bulletin reference to PRODSECBUG-2464 mentioning weak cryptographic functions 4) Standard Magento architecture patterns placing confirmation logic in Customer module models.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.* or *.*.*-p* us*s *rypto*r*p*i**lly w**k r*n*om num**r **n*r*tor to *rut*-*or** t** *on*irm*tion *o** *or *ustom*r r**istr*tion.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly st*t*s w**k PRN* us*** *or *on*irm*tion *o**s. In P*P *ont*xts, mt_r*n*() is * *ommon w**k **n*r*tor. M***nto's *ustom*r r**istr*tion *low woul* **n*r*t* *on*irm*tion *o**s in t** *ustom*r mo*ul*. T** ***ount*