Lucene search

GitHub_MCVE-2023-46233

HistoryOct 25, 2023 - 9:15 p.m.

CVE-2023-46233

2023-10-2521:15:10

CWE-916

CWE-328

CWE-327

GitHub_M

web.nvd.nist.gov

116

crypto-js

javascript library

crypto standards

cve-2023-46233

pbkdf2

sha1

sha256

iteration count

security patch

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

31.5%

JSON

crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a ‘strength’ or ‘difficulty’ value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.

Affected configurations

Nvd

Vulners

Node

crypto-js_projectcrypto-jsRange<4.2.0

VendorProductVersionCPE
crypto-js_projectcrypto-js*cpe:2.3:a:crypto-js_project:crypto-js:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
crypto-js_project	crypto-js	*	cpe:2.3:a:crypto-js_project:crypto-js::::::::

CNA Affected

[
  {
    "vendor": "brix",
    "product": "crypto-js",
    "versions": [
      {
        "version": "< 4.2.0",
        "status": "affected"
      }
    ]
  }
]