Miggo Logo
Miggo Vulnerability Database
CVE-2021-4238

CVE-2021-4238:
GoUtils's randomly-generated alphanumeric strings contain significantly less entropy than expected

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-4238
GHSA ID
GHSA-3839-6r69-m497
EPSS Score
0.49428%
CWE
CWE-331
Published
12/28/2022
Updated
5/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/Masterminds/goutilsgo< 1.1.11.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. Both functions are explicitly named in CVE/GHSA descriptions
  2. Commit diff shows removal of regex-based digit validation and forced digit insertion logic
  3. Vulnerability manifests in short strings due to reduced character combination possibilities
  4. Patch removes these constraints by trusting the underlying CryptoRandom/Random functions
  5. Added regression tests verify prevention of all-numeric outputs (a side effect of the flawed logic)

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R*n*omly-**n*r*t** *lp**num*ri* strin*s *ont*in si*ni*i**ntly l*ss *ntropy t**n *xp**t**. T** `R*n*om*lp**Num*ri*` *n* `*ryptoR*n*om*lp**Num*ri*` *un*tions *lw*ys r*turn strin*s *ont*inin* *t l**st on* *i*it *rom * to *. T*is si*ni*i**ntly r**u**s t*

Reasoning

*. *ot* *un*tions *r* *xpli*itly n*m** in *V*/**S* **s*riptions *. *ommit *i** s*ows r*mov*l o* r***x-**s** *i*it v*li**tion *n* *or*** *i*it ins*rtion lo*i* *. Vuln*r**ility m*ni**sts in s*ort strin*s *u* to r**u*** ***r**t*r *om*in*tion possi*iliti