Lucene search

GoogleOSV:CVE-2020-36732

HistoryJun 12, 2023 - 2:15 a.m.

CVE-2020-36732

2023-06-1202:15:48

Google

osv.dev

crypto-js

node.js

random numbers

predictable

security vulnerability

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7.2 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

30.5%

JSON

The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string “0.” with an integer, which makes the output more predictable than necessary.

CPENameOperatorVersion
crypto-jseq3.1.8
crypto-jseqrelease-3.1.2
crypto-jseq3.2.0
crypto-jseqrelease-3.1.2-1
crypto-jseqrelease-3.1.2-5
crypto-jseqrelease-3.1.2-2
crypto-jseq3.1.9
crypto-jseq3.1.4
crypto-jseqrelease-3.1.2-3
crypto-jseq3.1.3

Name	Operator	Version
crypto-js	eq	3.1.8
crypto-js	eq	release-3.1.2
crypto-js	eq	3.2.0
crypto-js	eq	release-3.1.2-1
crypto-js	eq	release-3.1.2-5
crypto-js	eq	release-3.1.2-2
crypto-js	eq	3.1.9
crypto-js	eq	3.1.4
crypto-js	eq	release-3.1.2-3
crypto-js	eq	3.1.3

Rows per page:

1-10 of 151

References

github.com/brix/crypto-js/compare/3.2.0...3.2.1

github.com/brix/crypto-js/issues/254

github.com/brix/crypto-js/issues/256

github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b

security.netapp.com/advisory/ntap-20230706-0003/

security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7.2 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

30.5%

JSON

Related for OSV:CVE-2020-36732