CVE-2020-35926 – nanorand

Package

Manager: cargo
Name: nanorand
Vulnerable Version: >=0 <0.5.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00433 pctl0.61951

Details

Improper random number generation in nanorand In versions of nanorand prior to 0.5.1, RandomGen implementations for standard unsigned integers could fail to properly generate numbers, due to using bit-shifting to truncate a 64-bit number, rather than just an as conversion. This often manifested as RNGs returning nothing but 0, including the cryptographically secure ChaCha random number generator.

Metadata

Created: 2021-08-25T20:50:24Z
Modified: 2023-06-13T20:01:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-m9m5-cg5h-r582/GHSA-m9m5-cg5h-r582.json
CWE IDs: ["CWE-338"]
Alternative ID: GHSA-m9m5-cg5h-r582
Finding: F034
Auto approve: 1