CVE-2023-46233

EPSS 0.82%
Veröffentlicht 25.10.2023 21:15:10
Zuletzt bearbeitet 21.11.2024 08:28:07
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Crypto-js Project ≫ Crypto-js Version < 4.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.82%	0.741

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

CWE-328 Use of Weak Hash

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

CWE-916 Use of Password Hash With Insufficient Computational Effort

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a

Patch

https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html

https://nvd.nist.gov/vuln/detail/CVE-2023-46233

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-46233

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-46233

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-46233