Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
nano-id is unable to generate the correct character set
Vulnerability Description
nano-id is a unique string ID generator for Rust. Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that `nano_id::base64` is not affected by this vulnerability. This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. The vulnerability is fixed in 0.4.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Vulnerability Type
信息熵不充分
Vulnerability Title
Nano Id 安全漏洞
Vulnerability Description
Nano Id是西班牙Andrey Sitnik个人开发者的一个用于 JavaScript 的小型、安全、Url 友好、唯一的字符串 Id 生成器。 Nano Id 0.4.0之前版本存在安全漏洞,该漏洞源于使用简化的字符集错误地生成ID,可能导致熵显著降低,使得生成的ID可预测,并且容易受到暴力攻击。
CVSS Information
N/A
Vulnerability Type
N/A