CVE-2021-3538

A flaw was found in github.com/satori/go.uuid in versions from commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45. Due to insecure randomness in the g.rand.Read function the generated UUIDs are predictable for an attacker.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1954376	Issue Tracking Third Party Advisory
https://github.com/satori/go.uuid/issues/73	Third Party Advisory
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:go.uuid_project:go.uuid:*:*:*:*:*:*:*:*

History

14 Jun 2021, 13:37

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/satori/go.uuid/issues/73 -~~	(MISC) https://github.com/satori/go.uuid/issues/73 - Third Party Advisory
References	~~(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1954376 -~~	(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1954376 - Issue Tracking, Third Party Advisory
References	~~(MISC) https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488 -~~	(MISC) https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 7.5 v3 : 9.8
CWE		CWE-338
CPE		cpe:2.3:a:go.uuid_project:go.uuid::::::::

02 Jun 2021, 15:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-06-02 14:15

Updated : 2023-12-10 13:55

NVD link : CVE-2021-3538

Mitre link : CVE-2021-3538

CVE.ORG link : CVE-2021-3538

JSON object : View

Products Affected

go.uuid_project

go.uuid

CWE

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

{"id": "CVE-2021-3538", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-06-02T14:15:09.993", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954376", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/satori/go.uuid/issues/73", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-338"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-338"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in github.com/satori/go.uuid in versions from commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45. Due to insecure randomness in the g.rand.Read function the generated UUIDs are predictable for an attacker."}, {"lang": "es", "value": "Se ha encontrado un fallo en github.com/satori/go.uuid en las versiones desde el commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c hasta d91630c8510268e75203009fe7daf2b8e1d60c45. Debido a una aleatoriedad no segura en la funci\u00f3n g.rand.Read los UUIDs generados son predecibles para un atacante"}], "lastModified": "2021-06-14T13:37:17.353", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:go.uuid_project:go.uuid:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4585CCC5-D435-4978-86BA-6BE70BF425B5", "versionEndExcluding": "1.2"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}