View online: https://www.drupal.org/sa-contrib-2018-042
Project: Generate Password [1] Version: 7.x-1.x-dev Date: 2018-June-27 Security risk: *Less critical* 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Insecure Randomness
Description: The Genpass module makes the password field optional (or hidden) on the add new user page (admin & registration). If the password field is not set during registration, the system generates a password.
The module doesn't use a strong source of randomness, creating weak and predictable passwords.
This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker which is a common configuration.
-------- CVE IDENTIFIER(S) ISSUED --------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./
Solution: Install the latest version:
* If you use the Genpass module for Drupal 7.x-1.x, upgrade to Genpass 7.x-1.1 [4]
Also see the Generate Password [5] project page.
Reported By: * Greg Knaddison [6] of the Drupal Security Team
Fixed By: * Joel Stein [7] a module maintainer
Coordinated By: * Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/genpass [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/genpass/releases/7.x-1.1 [5] https://www.drupal.org/project/genpass [6] https://www.drupal.org/user/36762 [7] https://www.drupal.org/user/36598 [8] https://www.drupal.org/u/greggles