What is CVE-2023-24828?

CVE-2023-24828 is a high-severity vulnerability in Theonedev Onedev, classified under Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). CVSS score: 8.1/10. Published 2023-02-07.

How severe is CVE-2023-24828?

High severity. CVSS v3 base score is 8.1 out of 10.

Vulnerability in Theonedev Onedev

CVE-2023-24828

Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users (or everyone if it allows sel…

EPSS: 0.003 (53.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N.

Affected products

Theonedev Onedev — versions < 7.9.12

Weakness classification (CWE)

CWE-338 — Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

References

https://github.com/theonedev/onedev/security/advisories/GHSA-jf5c-9r77-3j5j (x_refsource_CONFIRM)
https://github.com/theonedev/onedev/commit/d67dd9686897fe5e4ab881d749464aa7c06a68e5 (x_refsource_MISC)

Frequently asked questions

What is CVE-2023-24828?: CVE-2023-24828 is a high-severity vulnerability in Theonedev Onedev, classified under Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). CVSS score: 8.1/10. Published 2023-02-07.
How severe is CVE-2023-24828?: High severity. CVSS v3 base score is 8.1 out of 10.