Skip to content

API tokens are generated with a weak PRNG

Moderate
amousset published GHSA-64j7-mm2c-8j74 Jul 11, 2023

Package

rudder-webapp (rudder)

Affected versions

< 6.1.19
>= 6.2.0, < 6.2.13
>= 7.0.0, < 7.0.2

Patched versions

6.1.19
6.2.13
7.0.2

Description

Impact

Rudder used scala.util.Random (which is actually based on java.util.Random, a non-cryptographic PRNG) which it is not suitable for generating secrets, and may lead to guessing tokens.

Patches

This bug has been fixed in Rudder 6.1.19, 6.2.13, 7.0.2 which were released on 2022/04/08.

Users are advised to regenerate API tokens crated in affected versions.

Workarounds

None.

References

Severity

Moderate

CVE ID

No known CVE

Weaknesses