GHSA-XG2H-WX96-XGXR

Vulnerability from github – Published: 2021-05-21 16:26 – Updated: 2026-01-23 22:52
VLAI?
Summary
RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be
Details

Impact

A security-sensitive bug was discovered by Open Source Developer Erik Sundell of Sundell Open Source Consulting AB.

The functions RandomAlphaNumeric(int) and CryptoRandomAlphaNumeric(int) are not as random as they should be. Small values of int in the functions above will return a smaller subset of results than they should. For example, RandomAlphaNumeric(1) will always return a digit in the 0-9 range, while RandomAlphaNumeric(4) will return around ~7 million of the ~13M possible permutations.

This is considered a security release because programs that rely upon random generators for passwords are at an increased risk of brute force-style password guessing. There is also a higher probability of collision.

The problem was the result of a mistaken regular expression that only accepted random strings if they contained a digit from [0-9]. That restriction has been removed.

Patches

This issue has been corrected in v1.1.1.

Workarounds

If you cannot upgrade to v1.1.1, you can work around the issue by calling RandomAlphaNumericCustom(N, true, true)|CryptoRandomAlphaNumericCustom(N, true, true) instead. (Where N is the desired length, and true is the literal boolean true.)

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/Masterminds/goutils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-4238"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-21T14:36:56Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\n\nA security-sensitive bug was discovered by Open Source Developer *Erik Sundell of Sundell Open Source Consulting AB*.\n\nThe functions `RandomAlphaNumeric(int)` and `CryptoRandomAlphaNumeric(int)` are not as random as they should be. Small values of `int` in the functions above will return a smaller subset of results than they should. For example, `RandomAlphaNumeric(1)` will always return a digit in the 0-9 range, while `RandomAlphaNumeric(4)` will return around ~7 million of the ~13M possible permutations.\n\nThis is considered a security release because programs that rely upon random generators for passwords are at an increased risk of brute force-style password guessing. There is also a higher probability of collision.\n\nThe problem was the result of a mistaken regular expression that only accepted random strings if they contained a digit from `[0-9]`. That restriction has been removed.\n\n### Patches\n\nThis issue has been corrected in v1.1.1.\n\n### Workarounds\n\nIf you cannot upgrade to v1.1.1, you can work around the issue by calling `RandomAlphaNumericCustom(N, true, true)`|`CryptoRandomAlphaNumericCustom(N, true, true)`  instead. (Where `N` is the desired length, and `true` is the literal boolean `true`.)",
  "id": "GHSA-xg2h-wx96-xgxr",
  "modified": "2026-01-23T22:52:01Z",
  "published": "2021-05-21T16:26:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Masterminds/goutils/security/advisories/GHSA-xg2h-wx96-xgxr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4238"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Masterminds/goutils/commit/f1923532a168b8203bfe956d8cd3b17ebece5982"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Masterminds/goutils"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Masterminds/goutils/releases/tag/v1.1.1"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.