CVE-2021-23566 | nanoid:3.1.20 (CWE-200) #93

ckalpakoglu · 2023-01-09T07:57:06Z

Due Date: 2023-01-10

A medium severity vulnerability has been discovered in your project.

Project Name: kondukto-ui-vue

Scanner Name: dependabot

Cwe ID: 200

Cwe Name: Information Exposure

Cwe Link: https://cwe.mitre.org/data/definitions/200.html

File: package-lock.json

Packages:

nanoid:3.1.20

References:

Kondukto Remediation

1: fgdfgdg 2: gbngf 3: kjnkj

Training(Secure Code Warrior):

Name: Exposure of Sensitive Information to an Unauthorized Actor
Description: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/infoexposure/sensitiveinfo
Videos:
- https://media.securecodewarrior.com/v2/module_57_sensitive_data_exposure.mp4

Name: Missing Custom Error Page
Description: The software does not return custom error pages to the user, possibly exposing sensitive information.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/infoexposure/errordetails
Videos:
- https://media.securecodewarrior.com/v2/module_184_error_details.mp4

Name: Generation of Error Message Containing Sensitive Information
Description: The software generates an error message that includes sensitive information about its environment, users, or associated data.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/infoexposure/errordetails
Videos:
- https://media.securecodewarrior.com/v2/module_184_error_details.mp4

Name: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
Description: Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/misconfig
Videos:

Tool Description: ### Summary

Exposure of Sensitive Information to an Unauthorized Actor in nanoid

Fixed Patch

3.1.31

The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Kondukto Link: https://82.kondukto.local/projects/63b2e875fcd0c2a01b845757/vulns/appsec?page=1&perPage=15&id=in:63bbc8a5b3a8a9664878e70e
Deeplink: GHSA-qrpm-p2h7-hrv2

The text was updated successfully, but these errors were encountered:

ckalpakoglu · 2023-02-14T14:50:16Z

The issue has been closed by Kondukto since it is marked as won't fix.

ckalpakoglu added bug Something isn't working KONDUKTO labels Jan 9, 2023

ckalpakoglu self-assigned this Jan 9, 2023

ckalpakoglu closed this as completed Feb 14, 2023

ckalpakoglu added the wontfix This will not be worked on label Feb 14, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2021-23566 | nanoid:3.1.20 (CWE-200) #93

CVE-2021-23566 | nanoid:3.1.20 (CWE-200) #93

ckalpakoglu commented Jan 9, 2023

ckalpakoglu commented Feb 14, 2023

CVE-2021-23566 | nanoid:3.1.20 (CWE-200) #93

CVE-2021-23566 | nanoid:3.1.20 (CWE-200) #93

Comments

ckalpakoglu commented Jan 9, 2023

Fixed Patch

ckalpakoglu commented Feb 14, 2023