CVE-2022-23472: Passeo uses insecure random number generator
(updated )
Everyone below v1.0.5 is impacted by this flaw, of confidentiality being at risk due to the password(s) being easily able to be guessed with Passeo’s use of the random library. It is recommended to change any passwords made with Passeo before v1.0.5 and upgrade to v1.0.5, and v1.0.5 patches this with the secrets library.
References
- github.com/ArjunSharda/Passeo
- github.com/ArjunSharda/Passeo/commit/8caa798b6bc4647dca59b2376204b6dc6176361a
- github.com/ArjunSharda/Passeo/security/advisories/GHSA-mhhf-vgwh-fw9h
- github.com/advisories/GHSA-mhhf-vgwh-fw9h
- github.com/pypa/advisory-database/tree/main/vulns/passeo/PYSEC-2022-42997.yaml
- nvd.nist.gov/vuln/detail/CVE-2022-23472
- peps.python.org/pep-0506
Detect and mitigate CVE-2022-23472 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →