CVE-2019-8113:
Magento 2 Community Weak PRNG
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.28629%
CWE
Published
5/24/2022
Updated
2/2/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
magento/community-edition | composer | >= 2.2.0, < 2.2.10 | 2.2.10 |
magento/community-edition | composer | >= 2.3.0, < 2.3.2-p1 | 2.3.2-p1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly states weak PRNG usage for confirmation codes. In PHP contexts, mt_rand() is a common weak generator. Magento's customer registration flow would generate confirmation codes in the Customer module. The AccountConfirmation model is a logical location for this functionality. The high confidence comes from: 1) Direct CWE-338 alignment with weak PRNG usage 2) PHP's mt_rand() being a known non-cryptographic function 3) The security bulletin reference to PRODSECBUG-2464 mentioning weak cryptographic functions 4) Standard Magento architecture patterns placing confirmation logic in Customer module models.