Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/zendframework/zend-captcha@2.2.0rc2
Typecomposer
Namespacezendframework
Namezend-captcha
Version2.2.0rc2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.4.9
Latest_non_vulnerable_version2.5.2
Affected_by_vulnerabilities
0
url VCID-5cz1-j5rs-dub8
vulnerability_id VCID-5cz1-j5rs-dub8
summary 
Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word
Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.
references
0
reference_url http://framework.zend.com/security/advisory/ZF2015-09
reference_id
reference_type
scores
url http://framework.zend.com/security/advisory/ZF2015-09
fixed_packages
0
url pkg:composer/zendframework/zend-captcha@2.4.9
purl pkg:composer/zendframework/zend-captcha@2.4.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.4.9
1
url pkg:composer/zendframework/zend-captcha@2.5.2
purl pkg:composer/zendframework/zend-captcha@2.5.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.5.2
aliases GMS-2015-47
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5cz1-j5rs-dub8
1
url VCID-8atm-865q-mkf3
vulnerability_id VCID-8atm-865q-mkf3
summary Potential Information Disclosure and Insufficient Entropy vulnerability in `Zend\Captcha\Word`.
references
0
reference_url https://framework.zend.com/security/advisory/ZF2015-09
reference_id
reference_type
scores
url https://framework.zend.com/security/advisory/ZF2015-09
fixed_packages
0
url pkg:composer/zendframework/zend-captcha@2.4.9
purl pkg:composer/zendframework/zend-captcha@2.4.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.4.9
1
url pkg:composer/zendframework/zend-captcha@2.5.2
purl pkg:composer/zendframework/zend-captcha@2.5.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.5.2
aliases ZF2015-09
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8atm-865q-mkf3
2
url VCID-ud17-u8e3-8qaj
vulnerability_id VCID-ud17-u8e3-8qaj
summary 
Zend-Captcha Information Disclosure and Insufficient Entropy vulnerability
In Zend Framework, `Zend_Captcha_Word` (v1) and `Zend\Captcha\Word` (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.
references
0
reference_url https://framework.zend.com/security/advisory/ZF2015-09
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://framework.zend.com/security/advisory/ZF2015-09
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-captcha/ZF2015-09.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-captcha/ZF2015-09.yaml
2
reference_url https://github.com/zendframework/zend-captcha
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/zendframework/zend-captcha
3
reference_url https://github.com/zendframework/zend-captcha/commit/43c276df6e94e498bf530538aea53876a24fc47c
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/zendframework/zend-captcha/commit/43c276df6e94e498bf530538aea53876a24fc47c
4
reference_url https://github.com/zendframework/zend-captcha/commit/5561ef813bb4ad814e835343289dc5077d2eb262
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/zendframework/zend-captcha/commit/5561ef813bb4ad814e835343289dc5077d2eb262
5
reference_url https://github.com/advisories/GHSA-mg4x-prh7-g4mx
reference_id GHSA-mg4x-prh7-g4mx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mg4x-prh7-g4mx
fixed_packages
0
url pkg:composer/zendframework/zend-captcha@2.4.9
purl pkg:composer/zendframework/zend-captcha@2.4.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.4.9
1
url pkg:composer/zendframework/zend-captcha@2.5.2
purl pkg:composer/zendframework/zend-captcha@2.5.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.5.2
aliases GHSA-mg4x-prh7-g4mx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ud17-u8e3-8qaj
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/zendframework/zend-captcha@2.2.0rc2