Vulnerabilities > CVE-2019-25061 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Random Password Generator Project Random Password Generator
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The random_password_generator (aka RandomPasswordGenerator) gem through 1.0.0 for Ruby uses Kernel#rand to generate passwords, which, due to its cyclic nature, can facilitate password prediction.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://stackoverflow.com/questions/42170239/security-of-rand-in-ruby-compared-to-other-methods/42170560
- https://github.com/bvsatyaram/random_password_generator/blob/2855e8d7d8803dbb580ddd6cf13846394eb4530e/lib/random_password_generator.rb#L23
- https://github.com/bvsatyaram/random_password_generator/pull/1
- https://ruby-doc.org/core-3.1.2/Random.html