logo

Database

Insecure generation of random numbers In zendframework/zendframework

Description

ZendFramework Information Disclosure and Insufficient Entropy vulnerability In Zend Framework, Zend_Captcha_Word (v1) and Zend\Captcha\Word (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GCVE-GHSA-2fhr-8r8r-qp56

References

1. https://github.com/zendframework/zendframework/commit/ced8ff93ef892a64885c03f5dfab3f788a2197092. https://framework.zend.com/security/advisory/ZF2015-093. https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2015-09.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.