CVE-2021-4238

Name of the Vulnerable Software and Affected Versions SoftwareX versions prior to 1.1.1

Description Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strings generated by these functions. A security-sensitive bug was discovered, where small values of int in the functions above will return a smaller subset of results than they should. For example, RandomAlphaNumeric(1) will always return a digit in the 0-9 range, while RandomAlphaNumeric(4) will return around ~7 million of the ~13M possible permutations. This is considered a security release because programs that rely upon random generators for passwords are at an increased risk of brute force-style password guessing. There is also a higher probability of collision.

Recommendations For versions prior to 1.1.1, update to version 1.1.1 to resolve the issue. As a temporary workaround, consider calling RandomAlphaNumericCustom(N, true, true) or CryptoRandomAlphaNumericCustom(N, true, true) instead, where N is the desired length, and true is the literal boolean true.