078 – Insecurely generated token

Description

It is possible to crack the token's hash and obtain the information it is masking because it is not generated using a secure cryptographic mechanism.

Impact

Reuse session tokens after 14 days created.

Recommendation

Generate a token with random components without sensitive information.

Threat

Anonymous attacker from the Internet with access to the hash.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 224 - Use secure cryptographic mechanisms

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/12