Vulnerability Details CVE-2016-6485
The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by guessing the value.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 14.5%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- http://www.openwall.com/lists/oss-security/2016/07/19/3
- http://www.openwall.com/lists/oss-security/2016/07/27/14
- https://github.com/magento/magento2/pull/15017
- http://www.openwall.com/lists/oss-security/2016/07/19/3
- http://www.openwall.com/lists/oss-security/2016/07/27/14
- https://github.com/magento/magento2/pull/15017