Description

nano-id is a unique string ID generator for Rust. Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that `nano_id::base64` is not affected by this vulnerability. This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. The vulnerability is fixed in 0.4.0.

INFO

Published Date :

2024-06-04T14:11:26.945Z

Last Modified :

2024-08-02T03:37:05.234Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-36400 vulnerability.

Vendors Products
Viz
  • Nano Id
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-36400.

URL Resource
https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23 cve-icon cve-icon cve-icon
https://github.com/viz-rs/nano-id/security/advisories/GHSA-9hc7-6w9r-wj94 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact