Miggo Logo
Miggo Vulnerability Database
CVE-2021-3678

CVE-2021-3678: Use of Cryptographically Weak Pseudo-Random Number Generator in showdoc

5.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-3678
GHSA ID
GHSA-j85q-whc9-g4p9
EPSS Score
0.59412%
CWE
CWE-338
Published
9/2/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
showdoc/showdoccomposer< 2.9.82.9.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows both functions originally used md5(time() + rand() + uniqid()) to generate secrets. PHP's rand() and uniqid() are not cryptographically secure, and combining them with a static string ('rgrsfsrfsrf') further weakens entropy. The fix replaced this with random_bytes(), a CSPRNG. These two functions directly handled cryptographic secret generation, making them the clear vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

s*ow*o* is vuln*r**l* to Us* o* *rypto*r*p*i**lly W**k Ps*u*o-R*n*om Num**r **n*r*tor (PRN*)

Reasoning

T** *ommit *i** s*ows *ot* `*un*tions` ori*in*lly us** `m**(tim*() + r*n*() + uniqi*())` to **n*r*t* s**r*ts. P*P's `r*n*()` *n* `uniqi*()` *r* not *rypto*r*p*i**lly s**ur*, *n* *om*inin* t**m wit* * st*ti* strin* ('r*rs*sr*sr*') *urt**r w**k*ns *ntr