rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity

Assigned RUSTSEC-2024-0343 to nano-id (#1975)

Browse Source 
Co-authored-by: Shnatsel <291257+Shnatsel@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2024-06-03 08:19:16 +01:00
committed by GitHub
parent d40f0296a3
commit 5b8417ef30
2 changed files with 74 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.duplicate-id-guard
View File

@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
033b059b6cbbf2107fc1270372f4f929601a920f3927c9d46b3f1f937901c634 -
355219d456e3bebbb0dae3cfbd423aff2ade3ac94ad1e1823fc344e6b5eae139 -

146
crates/nano-id/RUSTSEC-0000-0000.md → crates/nano-id/RUSTSEC-2024-0343.md
View File

@@ -1,73 +1,73 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "nano-id"
date = "2024-06-03"
categories = ["crypto-failure"]
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
[affected]
functions = { "nano_id::base58" = ["< 0.4.0"], "nano_id::base62" = ["< 0.4.0"], "nano_id::gen" = ["< 0.4.0"] }
[versions]
patched = [">= 0.4.0"]
```
# Reduced entropy due to inadequate character set usage
## Description
Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified.
It should be noted that `nano_id::base64` is not affected by this vulnerability.
## Impact
This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers.
## Patches
The flaws were corrected in commit [a9022772b2f1ce38929b5b81eccc670ac9d3ab23](https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23) by updating the the `nano_id::gen` macro to use all specified characters correctly.
## PoC
```rust
use std::collections::BTreeSet;
fn main() {
test_base58();
test_base62();
}
fn test_base58() {
let mut produced_symbols = BTreeSet::new();
for _ in 0..100_000 {
let id = nano_id::base58::<10>();
for c in id.chars() {
produced_symbols.insert(c);
}
}
println!(
"{} symbols generated from nano_id::base58",
produced_symbols.len()
);
}
fn test_base62() {
let mut produced_symbols = BTreeSet::new();
for _ in 0..100_000 {
let id = nano_id::base62::<10>();
for c in id.chars() {
produced_symbols.insert(c);
}
}
println!(
"{} symbols generated from nano_id::base62",
produced_symbols.len()
);
}
```
```toml
[advisory]
id = "RUSTSEC-2024-0343"
package = "nano-id"
date = "2024-06-03"
categories = ["crypto-failure"]
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
[affected]
functions = { "nano_id::base58" = ["< 0.4.0"], "nano_id::base62" = ["< 0.4.0"], "nano_id::gen" = ["< 0.4.0"] }
[versions]
patched = [">= 0.4.0"]
```
# Reduced entropy due to inadequate character set usage
## Description
Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified.
It should be noted that `nano_id::base64` is not affected by this vulnerability.
## Impact
This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers.
## Patches
The flaws were corrected in commit [a9022772b2f1ce38929b5b81eccc670ac9d3ab23](https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23) by updating the the `nano_id::gen` macro to use all specified characters correctly.
## PoC
```rust
use std::collections::BTreeSet;
fn main() {
test_base58();
test_base62();
}
fn test_base58() {
let mut produced_symbols = BTreeSet::new();
for _ in 0..100_000 {
id = "RUSTSEC-2024-0343"
for c in id.chars() {
produced_symbols.insert(c);
}
}
println!(
"{} symbols generated from nano_id::base58",
produced_symbols.len()
);
}
fn test_base62() {
let mut produced_symbols = BTreeSet::new();
for _ in 0..100_000 {
id = "RUSTSEC-2024-0343"
for c in id.chars() {
produced_symbols.insert(c);
}
}
println!(
"{} symbols generated from nano_id::base62",
produced_symbols.len()
);
}
```