CVE-2021-23566 | nanoid:3.1.20 (CWE-200)

[ckalpakoglu]

Due Date: 2023-01-10

A medium severity vulnerability has been discovered in your project.

Project Name: kondukto-ui-vue

Scanner Name: dependabot

Cwe ID: 200

Cwe Name: Information Exposure

Cwe Link: https://cwe.mitre.org/data/definitions/200.html

File: package-lock.json

Packages:

• nanoid:3.1.20

References:

• https://nvd.nist.gov/vuln/detail/CVE-2021-23566
• https://github.com/ai/nanoid/pull/328
• https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575
• https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444
• https://snyk.io/vuln/SNYK-JS-NANOID-2332193
• https://github.com/advisories/GHSA-qrpm-p2h7-hrv2

Kondukto Remediation

1: fgdfgdg 2: gbngf 3: kjnkj

Training(Secure Code Warrior):

• Name: Exposure of Sensitive Information to an Unauthorized Actor

• Description: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

• Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/infoexposure/sensitiveinfo

• Videos:

  • https://media.securecodewarrior.com/v2/module_57_sensitive_data_exposure.mp4

    ---

• Name: Missing Custom Error Page

• Description: The software does not return custom error pages to the user, possibly exposing sensitive information.

• Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/infoexposure/errordetails

• Videos:

  • https://media.securecodewarrior.com/v2/module_184_error_details.mp4

    ---

• Name: Generation of Error Message Containing Sensitive Information

• Description: The software generates an error message that includes sensitive information about its environment, users, or associated data.

• Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/infoexposure/errordetails

• Videos:

  • https://media.securecodewarrior.com/v2/module_184_error_details.mp4

    ---

• Name: OWASP Top Ten 2017 Category A6 - Security Misconfiguration

• Description: Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017.

• Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/misconfig

• Videos:

---

Tool Description: ### Summary

Exposure of Sensitive Information to an Unauthorized Actor in nanoid

Fixed Patch

3.1.31

The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Kondukto Link: https://82.kondukto.local/projects/63b2e875fcd0c2a01b845757/vulns/appsec?page=1&perPage=15&id=in:63bbc8a5b3a8a9664878e70e Deeplink: https://github.com/advisories/GHSA-qrpm-p2h7-hrv2

[ckalpakoglu]

The issue has been closed by Kondukto since it is marked as won't fix.