CRITICAL 9.8

GHSA-rq8g-5pc5-wrhr

Insufficient Entropy in cryptiles

Details

Versions of `cryptiles` prior to 4.1.2 are vulnerable to Insufficient Entropy. The `randomDigits()` method does not provide sufficient entropy and its generates digits that are not evenly distributed.

## Recommendation

Upgrade to version 4.1.2. The package is deprecated and has been moved to `@hapi/cryptiles` and it is strongly recommended to use the maintained package.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / cryptiles

Introduced in: 4.0.0 Fixed in: 4.1.2

Fix npm install cryptiles@4.1.2

npm / cryptiles

Introduced in: 3.1.0 Fixed in: 3.1.3

Fix npm install cryptiles@3.1.3

References

https://nvd.nist.gov/vuln/detail/CVE-2018-1000620 [ADVISORY]
https://github.com/hapijs/cryptiles/issues/34 [WEB]
https://github.com/hapijs/cryptiles/issues/35 [WEB]
https://github.com/hapijs/cryptiles/commit/6bdcd0f6ee8ade96e7b30350bad39ee0c2ef0f9b [WEB]
https://github.com/hapijs/cryptiles/commit/9332d4263a32b84e76bf538d7470d01ea63fa047 [WEB]
https://github.com/hapijs/cryptiles/commit/cb6bd642816e0cb8341d2b3896fd9e7c57e94f56 [WEB]
https://github.com/hapijs/cryptiles [PACKAGE]
https://github.com/nodejs/security-wg/blob/master/vuln/npm/476.json [WEB]
https://www.npmjs.com/advisories/1464 [WEB]
https://www.npmjs.com/advisories/720 [WEB]