CVE-2019-25061: Insecure PRNG use in random_password_generator

May 19, 2022 (updated May 25, 2022)

The random_password_generator (aka RandomPasswordGenerator) gem through 1.0.0 for Ruby uses Kernel#rand to generate passwords, which, due to its cyclic nature, can facilitate password prediction.

References

github.com/advisories/GHSA-ggfx-h9xj-5v9c
github.com/bvsatyaram/random_password_generator/pull/1
nvd.nist.gov/vuln/detail/CVE-2019-25061
ruby-doc.org/core-3.1.2/Random.html
stackoverflow.com/questions/42170239/security-of-rand-in-ruby-compared-to-other-methods/42170560

Detect and mitigate CVE-2019-25061 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →