GoogleOSV:GHSA-3W3W-PXMM-2W2Jcrypto-js uses insecure random numbers
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
30.5%
The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string “0.” with an integer, which makes the output more predictable than necessary.
References
github.com/brix/crypto-js
github.com/brix/crypto-js/commit/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
github.com/brix/crypto-js/compare/3.2.0...3.2.1
github.com/brix/crypto-js/issues/254
github.com/brix/crypto-js/issues/256
github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
nvd.nist.gov/vuln/detail/CVE-2020-36732
security.netapp.com/advisory/ntap-20230706-0003
security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
30.5%