{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45357?format=json","vulnerability_id":"VCID-tqye-27ur-eyf5","summary":"@keystone-6/core's bundled cuid package known to be insecure\n### Summary\nThe `cuid` package used by `@keystone-6/*` and upstream dependencies is deprecated and [marked as insecure by the author](https://github.com/paralleldrive/cuid#status-deprecated-due-to-security-use-cuid2-instead). \n\nAs reported by the author\n> Cuid and other k-sortable and non-cryptographic ids (Ulid, ObjectId, KSUID, all UUIDs) are all insecure. Use @paralleldrive/cuid2 instead.\n\n### What are doing about this?\n- [We are waiting on Prisma](https://github.com/keystonejs/keystone/issues/8282) to add support for [`cuid2`](https://github.com/paralleldrive/cuid2)\n- Alternatively, we might default to a random string ourselves\n\n### What can I do about this?\nWe have added a work-around for users who want to provide custom identifiers in https://github.com/keystonejs/keystone/pull/8645\n\n### What if I need a `cuid`?\nThe features marked as a security vulnerability by @paralleldrive are sometimes actually needed ([as written in the README of `cuid`](https://github.com/paralleldrive/cuid#motivation)) - the problem is the inherent risks that features like this can have.\n\nYou might actually want the features of a monotonically increasing (auto-increment, k-sortable), and timestamp-based id as part of your application, and keystone should support that - but you might not want them by _default_.\nThis is why this security advisory has been accepted by me (@dcousens), we currently use cuid identifiers by default, and that should change.\n\n### Impact\nI have accepted this security advisory on the basis that we don't need this kind of identifier typically, and the need for them should be driven by an application's requirements, not a convenient default.","aliases":[{"alias":"GHSA-5fp6-4xw3-xqq3"},{"alias":"GMS-2023-1872"}],"fixed_packages":[],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/656152?format=json","purl":"pkg:npm/%40keystone-6/core@0.0.0-rc-20221013033655","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@0.0.0-rc-20221013033655"},{"url":"http://public2.vulnerablecode.io/api/packages/656153?format=json","purl":"pkg:npm/%40keystone-6/core@0.0.0-rc-20230214225011","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@0.0.0-rc-20230214225011"},{"url":"http://public2.vulnerablecode.io/api/packages/656154?format=json","purl":"pkg:npm/%40keystone-6/core@0.0.0-rc-20230220024700","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@0.0.0-rc-20230220024700"},{"url":"http://public2.vulnerablecode.io/api/packages/656155?format=json","purl":"pkg:npm/%40keystone-6/core@0.0.0-rc-20230328041955","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@0.0.0-rc-20230328041955"},{"url":"http://public2.vulnerablecode.io/api/packages/656156?format=json","purl":"pkg:npm/%40keystone-6/core@0.0.0-rc-20230329060432","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@0.0.0-rc-20230329060432"},{"url":"http://public2.vulnerablecode.io/api/packages/656157?format=json","purl":"pkg:npm/%40keystone-6/core@0.0.0-rc-20230330050032","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@0.0.0-rc-20230330050032"},{"url":"http://public2.vulnerablecode.io/api/packages/656158?format=json","purl":"pkg:npm/%40keystone-6/core@0.0.0-rc-20230412063326","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@0.0.0-rc-20230412063326"},{"url":"http://public2.vulnerablecode.io/api/packages/656159?format=json","purl":"pkg:npm/%40keystone-6/core@0.0.0-rc-20230412064346","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@0.0.0-rc-20230412064346"},{"url":"http://public2.vulnerablecode.io/api/packages/656160?format=json","purl":"pkg:npm/%40keystone-6/core@0.0.0-rc-20230512055539","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@0.0.0-rc-20230512055539"},{"url":"http://public2.vulnerablecode.io/api/packages/656161?format=json","purl":"pkg:npm/%40keystone-6/core@0.0.0-rc-20230523070754","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@0.0.0-rc-20230523070754"},{"url":"http://public2.vulnerablecode.io/api/packages/656162?format=json","purl":"pkg:npm/%40keystone-6/core@1.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@1.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/656163?format=json","purl":"pkg:npm/%40keystone-6/core@1.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@1.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/656164?format=json","purl":"pkg:npm/%40keystone-6/core@1.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@1.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/656165?format=json","purl":"pkg:npm/%40keystone-6/core@1.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@1.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/656166?format=json","purl":"pkg:npm/%40keystone-6/core@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/656167?format=json","purl":"pkg:npm/%40keystone-6/core@2.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@2.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/504545?format=json","purl":"pkg:npm/%40keystone-6/core@2.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-k428-up64-47d9"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@2.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/615328?format=json","purl":"pkg:npm/%40keystone-6/core@2.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-k428-up64-47d9"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@2.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/145010?format=json","purl":"pkg:npm/%40keystone-6/core@2.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@2.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/504630?format=json","purl":"pkg:npm/%40keystone-6/core@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-r13j-pm6j-8ubf"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@3.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/618568?format=json","purl":"pkg:npm/%40keystone-6/core@3.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-r13j-pm6j-8ubf"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@3.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/148805?format=json","purl":"pkg:npm/%40keystone-6/core@3.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@3.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/656168?format=json","purl":"pkg:npm/%40keystone-6/core@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@3.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/656169?format=json","purl":"pkg:npm/%40keystone-6/core@3.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@3.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/656170?format=json","purl":"pkg:npm/%40keystone-6/core@3.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@3.1.2"},{"url":"http://public2.vulnerablecode.io/api/packages/656171?format=json","purl":"pkg:npm/%40keystone-6/core@3.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@3.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/656172?format=json","purl":"pkg:npm/%40keystone-6/core@4.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@4.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/656173?format=json","purl":"pkg:npm/%40keystone-6/core@4.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@4.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/656174?format=json","purl":"pkg:npm/%40keystone-6/core@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@5.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/656175?format=json","purl":"pkg:npm/%40keystone-6/core@5.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@5.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/656176?format=json","purl":"pkg:npm/%40keystone-6/core@5.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@5.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/656177?format=json","purl":"pkg:npm/%40keystone-6/core@5.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@5.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/65373?format=json","purl":"pkg:npm/%40keystone-6/core@5.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5kdx-3r3z-nye2"},{"vulnerability":"VCID-gxmq-8d4q-xqdm"},{"vulnerability":"VCID-ppy6-36tw-sqft"},{"vulnerability":"VCID-tqye-27ur-eyf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@5.3.1"}],"references":[{"reference_url":"https://github.com/keystonejs/keystone","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone"},{"reference_url":"https://github.com/keystonejs/keystone/issues/8282#issuecomment-1586019823","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone/issues/8282#issuecomment-1586019823"},{"reference_url":"https://github.com/paralleldrive/cuid#status-deprecated-due-to-security-use-cuid2-instead","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/paralleldrive/cuid#status-deprecated-due-to-security-use-cuid2-instead"},{"reference_url":"https://github.com/advisories/GHSA-5fp6-4xw3-xqq3","reference_id":"GHSA-5fp6-4xw3-xqq3","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5fp6-4xw3-xqq3"},{"reference_url":"https://github.com/keystonejs/keystone/security/advisories/GHSA-5fp6-4xw3-xqq3","reference_id":"GHSA-5fp6-4xw3-xqq3","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keystonejs/keystone/security/advisories/GHSA-5fp6-4xw3-xqq3"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":"0.1 - 3","exploitability":"0.5","weighted_severity":"2.7","risk_score":1.4,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tqye-27ur-eyf5"}