Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2020-28924

Published: 19/11/2020 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

An issue exists in Rclone prior to 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

rclone rclone

fedoraproject fedora 33

Vendor Advisories

Debian CVElist Bug Report Logs: rclone: CVE-2020-28924: generating weak passwords
Debian Bug report logs - #975324 rclone: CVE-2020-28924: generating weak passwords Package: src:rclone; Maintainer for src:rclone is Debian Go Packaging Team <team+pkg-go@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 20 Nov 2020 13:57:04 UTC Severity: grave Tags: security, upst ...
Arch Linux Issues:
An issue was discovered in rclone 1490 up to 1532 Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised The suggested passwords depend deterministically on the time rclone was started This limits the entropy of the passwords enormously These password ...

References

CWE-331CWE-338https://github.com/rclone/rclone/issues/4783https://rclone.org/downloads/https://security.gentoo.org/glsa/202107-14https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UJIFT24Q6EFXLQZ24AER2QGFFZLMIPCD/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975324https://nvd.nist.govhttps://security.archlinux.org/CVE-2020-28924
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-17519open redirectCVE-2024-21683cache poisoningCVE-2021-47524CVE-2021-47521CVE-2024-5229CVE-2021-47560local
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook