CVE-2020-28924

{"id": "CVE-2020-28924", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-11-19T20:15:12.983", "references": [{"url": "https://github.com/rclone/rclone/issues/4783", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UJIFT24Q6EFXLQZ24AER2QGFFZLMIPCD/", "source": "cve@mitre.org"}, {"url": "https://rclone.org/downloads/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/202107-14", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-331"}, {"lang": "en", "value": "CWE-338"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Rclone versiones anteriores a 1.53.3. Debido al uso de un generador de n\u00fameros aleatorios d\u00e9bil, el generador de contrase\u00f1as ha estado produciendo contrase\u00f1as d\u00e9biles con mucha menos entrop\u00eda de la anunciada. Las contrase\u00f1as sugeridas dependen determin\u00edsticamente de la hora en que se inici\u00f3 el segundo rclone. Esto limita enormemente la entrop\u00eda de las contrase\u00f1as. Estas contrase\u00f1as se utilizan a menudo en el backend crypt para el cifrado de datos. Ser\u00eda posible construir un diccionario de todas las contrase\u00f1as posibles con aproximadamente 38 millones de entradas por longitud de contrase\u00f1a. Esto har\u00eda posible el descifrado de material secreto con una cantidad plausible de esfuerzo. NOTA: todas las contrase\u00f1as generadas mediante las versiones afectadas deben ser cambiadas"}], "lastModified": "2023-11-07T03:21:24.517", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rclone:rclone:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51547D1F-DCCA-4601-B34D-F81DA428CCFC", "versionEndExcluding": "1.53.3"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}