CVE-2021-23128 - OpenCVE

An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to 'random_bytes()' and its backport that is shipped within random_compat.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Joomla	Joomla\!

Configuration 1 [-]

cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*

References

Link	Resource
https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Joomla

Published: 2021-03-02T00:00:00

Updated: 2022-12-22T11:56:06.253Z

Reserved: 2021-01-06T00:00:00

Link: CVE-2021-23128

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-03-04T18:15:13.363

Modified: 2021-03-05T20:56:02.373

Link: CVE-2021-23128

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Joomla! CMS", "vendor": "Joomla! Project", "versions": [{"status": "affected", "version": "3.2.0-3.9.24"}]}], "datePublic": "2021-03-02T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to 'random_bytes()' and its backport that is shipped within random_compat."}], "problemTypes": [{"descriptions": [{"description": "Insecure Randomness", "lang": "en", "type": "text"}]}], "providerMetadata": {"orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "shortName": "Joomla", "dateUpdated": "2022-12-22T11:56:06.253Z"}, "references": [{"tags": ["x_refsource_MISC", "vendor-advisory"], "url": "https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html"}], "title": "[20210302] - Core - Potential Insecure FOFEncryptRandval", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@joomla.org", "DATE_PUBLIC": "2021-03-02T16:00:00", "ID": "CVE-2021-23128", "STATE": "PUBLIC", "TITLE": "[20210302] - Core - Potential Insecure FOFEncryptRandval"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Joomla! CMS", "version": {"version_data": [{"version_value": "3.2.0-3.9.24"}]}}]}, "vendor_name": "Joomla! Project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to 'random_bytes()' and its backport that is shipped within random_compat."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Insecure Randomness"}]}]}, "references": {"reference_data": [{"name": "https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html", "refsource": "MISC", "url": "https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html"}]}}}}, "cveMetadata": {"assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586", "assignerShortName": "Joomla", "cveId": "CVE-2021-23128", "datePublished": "2021-03-02T00:00:00", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2022-12-22T11:56:06.253Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joomla:joomla\\!:*:*:*:*:*:*:*:*", "matchCriteriaId": "A02A2FBC-42A3-42A1-B06A-CC676094F7C3", "versionEndExcluding": "3.9.25", "versionStartIncluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to 'random_bytes()' and its backport that is shipped within random_compat."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Joomla! versiones 3.2.0 hasta 3.9.24. La implementaci\u00f3n de randval enviada pero no usada dentro de FOF (FOFEncryptRandval) us\u00f3 una implementaci\u00f3n no segura potencial. Eso ahora ha sido reemplazado con una llamada a la funci\u00f3n \"random_bytes()\" y su backport que es enviado dentro de random_compat"}], "id": "CVE-2021-23128", "lastModified": "2021-03-05T20:56:02.373", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-04T18:15:13.363", "references": [{"source": "security@joomla.org", "tags": ["Vendor Advisory"], "url": "https://developer.joomla.org/security-centre/842-20210302-core-potential-insecure-fofencryptrandval.html"}], "sourceIdentifier": "security@joomla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}