GHSA-pjx8-984p-7p3x: FOSUserBundle Entropy is lost in the TokenGenerator
Because of the usage of base_convert which looses precision for large inputs, the entropy of tokens generated by FOSUserBundle for the email confirmation and password resetting is lost. This makes these tokens much less random than they are expected to be, and so not cryptographically safe.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/user-bundle/2014-09-04-1.yaml
- github.com/FriendsOfSymfony/FOSUserBundle
- github.com/FriendsOfSymfony/FOSUserBundle/commit/b3ebfea52065e9727508f5f8e6c9f7459a1b06d8
- github.com/advisories/GHSA-pjx8-984p-7p3x
- symfony.com/blog/fosuserbundle-entropy-of-generated-tokens-is-lost
Detect and mitigate GHSA-pjx8-984p-7p3x with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →