|
1 |
| -```toml |
2 |
| -[advisory] |
3 |
| -id = "RUSTSEC-0000-0000" |
4 |
| -package = "nano-id" |
5 |
| -date = "2024-06-03" |
6 |
| -categories = ["crypto-failure"] |
7 |
| -cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" |
8 |
| - |
9 |
| -[affected] |
10 |
| -functions = { "nano_id::base58" = ["< 0.4.0"], "nano_id::base62" = ["< 0.4.0"], "nano_id::gen" = ["< 0.4.0"] } |
11 |
| - |
12 |
| -[versions] |
13 |
| -patched = [">= 0.4.0"] |
14 |
| -``` |
15 |
| - |
16 |
| -# Reduced entropy due to inadequate character set usage |
17 |
| - |
18 |
| -## Description |
19 |
| - |
20 |
| -Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. |
21 |
| - |
22 |
| -It should be noted that `nano_id::base64` is not affected by this vulnerability. |
23 |
| - |
24 |
| -## Impact |
25 |
| - |
26 |
| -This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. |
27 |
| - |
28 |
| -## Patches |
29 |
| - |
30 |
| -The flaws were corrected in commit [a9022772b2f1ce38929b5b81eccc670ac9d3ab23](https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23) by updating the the `nano_id::gen` macro to use all specified characters correctly. |
31 |
| - |
32 |
| -## PoC |
33 |
| - |
34 |
| -```rust |
35 |
| -use std::collections::BTreeSet; |
36 |
| - |
37 |
| -fn main() { |
38 |
| - test_base58(); |
39 |
| - test_base62(); |
40 |
| -} |
41 |
| - |
42 |
| -fn test_base58() { |
43 |
| - let mut produced_symbols = BTreeSet::new(); |
44 |
| - |
45 |
| - for _ in 0..100_000 { |
46 |
| - let id = nano_id::base58::<10>(); |
47 |
| - for c in id.chars() { |
48 |
| - produced_symbols.insert(c); |
49 |
| - } |
50 |
| - } |
51 |
| - |
52 |
| - println!( |
53 |
| - "{} symbols generated from nano_id::base58", |
54 |
| - produced_symbols.len() |
55 |
| - ); |
56 |
| -} |
57 |
| - |
58 |
| -fn test_base62() { |
59 |
| - let mut produced_symbols = BTreeSet::new(); |
60 |
| - |
61 |
| - for _ in 0..100_000 { |
62 |
| - let id = nano_id::base62::<10>(); |
63 |
| - for c in id.chars() { |
64 |
| - produced_symbols.insert(c); |
65 |
| - } |
66 |
| - } |
67 |
| - |
68 |
| - println!( |
69 |
| - "{} symbols generated from nano_id::base62", |
70 |
| - produced_symbols.len() |
71 |
| - ); |
72 |
| -} |
73 |
| -``` |
| 1 | +```toml |
| 2 | +[advisory] |
| 3 | +id = "RUSTSEC-2024-0343" |
| 4 | +package = "nano-id" |
| 5 | +date = "2024-06-03" |
| 6 | +categories = ["crypto-failure"] |
| 7 | +cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" |
| 8 | + |
| 9 | +[affected] |
| 10 | +functions = { "nano_id::base58" = ["< 0.4.0"], "nano_id::base62" = ["< 0.4.0"], "nano_id::gen" = ["< 0.4.0"] } |
| 11 | + |
| 12 | +[versions] |
| 13 | +patched = [">= 0.4.0"] |
| 14 | +``` |
| 15 | + |
| 16 | +# Reduced entropy due to inadequate character set usage |
| 17 | + |
| 18 | +## Description |
| 19 | + |
| 20 | +Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. |
| 21 | + |
| 22 | +It should be noted that `nano_id::base64` is not affected by this vulnerability. |
| 23 | + |
| 24 | +## Impact |
| 25 | + |
| 26 | +This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. |
| 27 | + |
| 28 | +## Patches |
| 29 | + |
| 30 | +The flaws were corrected in commit [a9022772b2f1ce38929b5b81eccc670ac9d3ab23](https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23) by updating the the `nano_id::gen` macro to use all specified characters correctly. |
| 31 | + |
| 32 | +## PoC |
| 33 | + |
| 34 | +```rust |
| 35 | +use std::collections::BTreeSet; |
| 36 | + |
| 37 | +fn main() { |
| 38 | + test_base58(); |
| 39 | + test_base62(); |
| 40 | +} |
| 41 | + |
| 42 | +fn test_base58() { |
| 43 | + let mut produced_symbols = BTreeSet::new(); |
| 44 | + |
| 45 | + for _ in 0..100_000 { |
| 46 | +id = "RUSTSEC-2024-0343" |
| 47 | + for c in id.chars() { |
| 48 | + produced_symbols.insert(c); |
| 49 | + } |
| 50 | + } |
| 51 | + |
| 52 | + println!( |
| 53 | + "{} symbols generated from nano_id::base58", |
| 54 | + produced_symbols.len() |
| 55 | + ); |
| 56 | +} |
| 57 | + |
| 58 | +fn test_base62() { |
| 59 | + let mut produced_symbols = BTreeSet::new(); |
| 60 | + |
| 61 | + for _ in 0..100_000 { |
| 62 | +id = "RUSTSEC-2024-0343" |
| 63 | + for c in id.chars() { |
| 64 | + produced_symbols.insert(c); |
| 65 | + } |
| 66 | + } |
| 67 | + |
| 68 | + println!( |
| 69 | + "{} symbols generated from nano_id::base62", |
| 70 | + produced_symbols.len() |
| 71 | + ); |
| 72 | +} |
| 73 | +``` |
0 commit comments