GHSA-q8fc-v85f-78pw: stormpath/sdk uses Insecure Random Number Generator
5.3
CVSS Score
3.1
Basic Information
CVE ID
-
GHSA ID
EPSS Score
-
CWE
Published
5/29/2024
Updated
5/29/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| stormpath/sdk | composer | <= 1.19.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The UUID::generateRandom method directly uses mt_rand() for critical UUID v4 entropy, violating RFC 4122's requirement for cryptographically secure random values. The ApiKeyEncryptionOptions constructor's fallback uses uniqid() (time-based) and md5(), which lack sufficient entropy for cryptographic salts. Both patterns are explicitly cited in the advisory links and match known insecure PRNG practices (CWE-338).