CVE-2021-23566 Information

Description

The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

https://github.com/ai/nanoid/pull/328 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2332550 https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444 https://snyk.io/vuln/SNYK-JS-NANOID-2332193 https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.5