CVE-2016-1902 Information

Description

The nextBytes function in the SecureRandom class in Symfony before 2.3.37 2.6.x before 2.6.13 and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

http://symfony.com/blog/cve-2016-1902-securerandom-s-fallback-not-secure-when-openssl-fails http://www.debian.org/security/2016/dsa-3588 https://github.com/symfony/symfony/pull/17359 https://www.landaire.net/blog/cve-2016-1902-symfony-securerandom/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5