GMS-2015-48: Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word
Zend generates a “word” for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP’s internal array_rand()
function. This function does not generate sufficient entropy due to its usage of rand()
instead of more cryptographically secure methods such as openssl_pseudo_random_bytes()
. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.
References
Detect and mitigate GMS-2015-48 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →