CVE-2014-3503
Apache Syncope uses a weak PNRG
EPSS 1.9%
Description
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.
How to fix CVE-2014-3503
To remediate CVE-2014-3503, upgrade the affected package to a fixed version below.
- Maven/org.apache.syncope:syncope—upgrade to 1.1.8 or later
Is CVE-2014-3503 being exploited?
Low — EPSS is 1.9%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.1.0, < 1.1.8
References (7)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3503
- WEBpacketstormsecurity.com/files/127375/Apache-Syncope-Insecure-Password-Generation.html
- WEBgithub.com/apache/syncope/commit/8e0045925a387ee211832c7e0709dd418cda1ad3
- WEBsyncope.apache.org/security.html#cve-2014-3503-insecure-random-implementations-used-to-generate-p