CVE-2025-21617
Jan. 6, 2025, 8:15 p.m.
Tags
Product(s) Impacted
Guzzle OAuth Subscriber
- before 0.8.1
Description
Guzzle OAuth Subscriber signs Guzzle requests using OAuth 1.0. Prior to 0.8.1, Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source. This can leave servers vulnerable to replay attacks when TLS is not used. This vulnerability is fixed in 0.8.1.
Weaknesses
CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
CWE ID: 338Date
Published: Jan. 6, 2025, 8:15 p.m.
Last Modified: Jan. 6, 2025, 8:15 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
security-advisories@github.com
References
https://github.com/
security-advisories@github.com
https://github.com/
security-advisories@github.com
https://github.com/
security-advisories@github.com
https://github.com/
security-advisories@github.com