Bug 2362485 (CVE-2025-46653)
| Summary: | CVE-2025-46653 formidable: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Formidable | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | abarbaro, anjoseph, aveerama, cdaley, dhanak, dkuc, dsimansk, erack, fjansen, gotiwari, jchui, jhe, jhorak, jkoehler, jprabhak, kingland, ktsao, kverlaen, lphiri, matzew, mnovotny, mvyas, nboldt, psrna, sausingh, tpopela, wtam |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Formidable (node-formidable) related to its pseudo-random number generator (PRNG). The package uses a weak method to generate random filenames for uploaded files, making it possible for attackers to predict filenames under certain conditions. This vulnerability could allow an attacker to guess and access uploaded files, potentially leading to data exposure or malicious file manipulation.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2362627, 2362628, 2362629, 2362632, 2362633, 2362634, 2362637, 2362620, 2362621, 2362622, 2362623, 2362624, 2362625, 2362626, 2362630, 2362631, 2362635, 2362636 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-04-26 21:01:07 UTC
|