How severe is CVE-2024-36400?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2024-36400?

This is classified as CWE-331, which is a common weakness in software security.

CVE-2024-36400 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

nano-id is a unique string ID generator for Rust. Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that `nano_id::base64` is not affected by this vulnerability. This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. The vulnerability is fixed in 0.4.0.

Related Vulnerabilities

CVE-2008-2108

CRITICAL

CVSS:9.8(Critical)

The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insuffici...

CWE-3312008

CVE-2013-2260

CRITICAL

CVSS:9.8(Critical)

Cryptocat before 2.0.22: Cryptocat.random() Function Array Key has Entropy Weakness

CWE-3312013

CVE-2018-1000620

CRITICAL

CVSS:9.8(Critical)

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force some...

CWE-3312018

CVE-2020-12735

CRITICAL

CVSS:9.8(Critical)

reset.php in DomainMOD 4.13.0 uses insufficient entropy for password reset requests, leading to account takeover.

CWE-3312020

CVE-2020-29508

CRITICAL

CVSS:9.8(Critical)

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Improper Input Validation Vulnerability.

CWE-3312020

CVE-2021-22727

CRITICAL

CVSS:9.8(Critical)

A CWE-331: Insufficient Entropy vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and...

CWE-3312021