CVE-2020-28924

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 19-11-2020 09:15

Last modified: - 26-04-2022 06:34

Total changes: - 4

Description

An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

High

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

7.5

Base score

3.9

3.6

Exploitability score

Impact score

Verification logic

vendor=rclone AND product=rclone AND versionEndExcluding=1.53.3

vendor=fedoraproject AND product=fedora AND version=33

Reference

https://github.com/rclone/rclone/issues/4783
https://rclone.org/downloads/
FEDORA-2020-3b0bb05117-Mailing List, Third Party Advisory
GLSA-202107-14-Third Party Advisory

Keywords

CVE-2020-28924

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2020-28924

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures