CVE-2023-46233 crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard

🗓️ 25 Oct 2023 20:49:31Reported by GitHub_MType

Weak PBKDF2 in crypto-js prior to version 4.2.0

Reporter	Title	Published	Views	Family All 64
IBM Security Bulletins	Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by vulnerabilties in crypto-js version 3.1.2	10 Jan 202506:42	–	ibm
IBM Security Bulletins	Security Bulletin: Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access	2 Jun 202607:04	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Planning Analytics Workspace has addressed multiple vulnerabilities	27 Mar 202420:31	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in Brix crypto-js affects IBM Process Mining CVE-2023-46233	15 Dec 202314:36	–	ibm
IBM Security Bulletins	Security Bulletin: crypto-js affects IBM Spectrum Control [CVE-2023-46233]	11 Dec 202308:36	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Automation Decision Services November 2023 - Multiple CVEs addressed	12 Dec 202317:56	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in CloudPak for AIOPs [CVE-2023-46233]	18 Dec 202317:47	–	ibm
Circl	CVE-2023-46233	26 Oct 202300:39	–	circl
CNNVD	crypto-js encryption issue vulnerability	25 Oct 202300:00	–	cnnvd
CVE	CVE-2023-46233	25 Oct 202320:49	–	cve

[
  {
    "vendor": "brix",
    "product": "crypto-js",
    "versions": [
      {
        "version": "< 4.2.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
lists	www.lists.debian.org/debian-lts-announce/2023/11/msg00025.html
github	www.github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a
github	www.github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf

27 Nov 2023 20:06Current

9.3High risk

Vulners AI Score9.3

CVSS 3.19.1

EPSS0.00916