CVE-2021-23566 | nanoid:3.1.20 (CWE-200) #93
Description
Due Date: 2023-01-10
A medium severity vulnerability has been discovered in your project.
Project Name: kondukto-ui-vue
Scanner Name: dependabot
Cwe ID: 200
Cwe Name: Information Exposure
Cwe Link: https://cwe.mitre.org/data/definitions/200.html
File: package-lock.json
Packages:
- nanoid:3.1.20
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23566
- fix collision by proxy number ai/nanoid#328
- ai/nanoid@2b7bd93
- https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444
- https://snyk.io/vuln/SNYK-JS-NANOID-2332193
- GHSA-qrpm-p2h7-hrv2
Kondukto Remediation
1: fgdfgdg 2: gbngf 3: kjnkjTraining(Secure Code Warrior):
-
Name: Exposure of Sensitive Information to an Unauthorized Actor
-
Description: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
-
Videos:
-
Name: Missing Custom Error Page
-
Description: The software does not return custom error pages to the user, possibly exposing sensitive information.
-
Videos:
-
Name: Generation of Error Message Containing Sensitive Information
-
Description: The software generates an error message that includes sensitive information about its environment, users, or associated data.
-
Videos:
-
Name: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
-
Description: Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017.
-
Videos:
Tool Description: ### Summary
Exposure of Sensitive Information to an Unauthorized Actor in nanoid
Fixed Patch
3.1.31
The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Kondukto Link: https://82.kondukto.local/projects/63b2e875fcd0c2a01b845757/vulns/appsec?page=1&perPage=15&id=in:63bbc8a5b3a8a9664878e70e
Deeplink: GHSA-qrpm-p2h7-hrv2