Vulnerabilities > CVE-2024-36400 - Insufficient Entropy vulnerability in VIZ Nano ID

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

viz

CWE-331

critical

NVD

Published: 2024-06-04

Updated: 2024-06-10

Summary

nano-id is a unique string ID generator for Rust. Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that `nano_id::base64` is not affected by this vulnerability. This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. The vulnerability is fixed in 0.4.0.

Vulnerable Configurations

Part	Description	Count
Application	Viz VIZ Nano ID - VIZ Nano ID 0.0.1 VIZ Nano ID 0.1.0 VIZ Nano ID 0.1.1 VIZ Nano ID 0.2.0 VIZ Nano ID 0.2.1 VIZ Nano ID 0.3.1 VIZ Nano ID 0.3.2 VIZ Nano ID 0.3.3	9

Common Weakness Enumeration (CWE)

CWE-331 - Insufficient Entropy

Common Attack Pattern Enumeration and Classification (CAPEC)

Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

References