GHSA-mhhf-vgwh-fw9h: Passeo uses insecure random number generator

Package

pip Passeo (pip)

Affected versions

< 1.0.5

Patched versions

1.0.5

Description

Impact

Everyone below v1.0.5 is impacted by this flaw, of confidentiality being at risk due to the password(s) being easily able to be guessed with Passeo’s use of the random library. It is recommended to change any passwords made with Passeo before v1.0.5 and upgrade to v1.0.5, and v1.0.5 patches this with the secrets library.

Workarounds

No current workaround available than updating to v1.0.5.

References

• GHSA-mhhf-vgwh-fw9h
• https://nvd.nist.gov/vuln/detail/CVE-2022-23472
• ArjunSharda/Passeo@8caa798
• https://peps.python.org/pep-0506/

ArjunSharda published the maintainer security advisory

Dec 6, 2022

Severity

Moderate

5.9

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CWE-338

CVE ID

CVE-2022-23472

GHSA ID

GHSA-mhhf-vgwh-fw9h

Source code

ArjunSharda/Passeo

Credits

• Bluenix2
• ArjunSharda

Checking history

See something to contribute? Suggest improvements for this vulnerability.