Miggo Logo
Miggo Vulnerability Database
GHSA-q8fc-v85f-78pw

GHSA-q8fc-v85f-78pw: stormpath/sdk uses Insecure Random Number Generator

5.3

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-q8fc-v85f-78pw
EPSS Score
-
CWE
CWE-338
Published
5/29/2024
Updated
5/29/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
stormpath/sdkcomposer<= 1.19.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The UUID::generateRandom method directly uses mt_rand() for critical UUID v4 entropy, violating RFC 4122's requirement for cryptographically secure random values. The ApiKeyEncryptionOptions constructor's fallback uses uniqid() (time-based) and md5(), which lack sufficient entropy for cryptographic salts. Both patterns are explicitly cited in the advisory links and match known insecure PRNG practices (CWE-338).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** vuln*r**ility p*rt*ins to t** us*** o* *n ins**ur* r*n*om num**r **n*r*tor (RN*) in t** "stormp*t*-s*k-p*p" li*r*ry. Sp**i*i**lly, t** issu* is pr*s*nt in t** **n*r*tion o* UUI* (Univ*rs*lly Uniqu* I**nti*i*r) v*rsion * wit*in t** *o****s*.

Reasoning

T** UUI*::**n*r*t*R*n*om m*t*o* *ir**tly us*s mt_r*n*() *or *riti**l UUI* v* *ntropy, viol*tin* R** ****'s r*quir*m*nt *or *rypto*r*p*i**lly s**ur* r*n*om v*lu*s. T** *piK*y*n*ryptionOptions *onstru*tor's **ll***k us*s uniqi*() (tim*-**s**) *n* m**()