[Security-news] Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042
security-news at drupal.org
security-news at drupal.org
Wed Jun 27 18:24:40 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-042
Project: Generate Password [1]
Version: 7.x-1.x-dev
Date: 2018-June-27
Security risk: *Less critical* 9∕25
AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Insecure Randomness
Description:
The Genpass module makes the password field optional (or hidden) on the add
new user page (admin & registration). If the password field is not set during
registration, the system generates a password.
The module doesn't use a strong source of randomness, creating weak and
predictable passwords.
This vulnerability is mitigated by the fact that the site must be configured
to reveal the password to the attacker which is a common configuration.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
Solution:
Install the latest version:
* If you use the Genpass module for Drupal 7.x-1.x, upgrade to Genpass
7.x-1.1 [4]
Also see the Generate Password [5] project page.
Reported By:
* Greg Knaddison [6] of the Drupal Security Team
Fixed By:
* Joel Stein [7] a module maintainer
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/genpass
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/genpass/releases/7.x-1.1
[5] https://www.drupal.org/project/genpass
[6] https://www.drupal.org/user/36762
[7] https://www.drupal.org/user/36598
[8] https://www.drupal.org/u/greggles
More information about the Security-news
mailing list