Use of insufficiently random values in crypto-js



Published: 2023-12-08
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-36732
CWE-ID CWE-330
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		crypto-js
Web applications / JS libraries

Vendor brix

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Use of insufficiently random values

EUVDB-ID: #VU83992

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-36732

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the application generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary. A remote attacker can gain access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

crypto-js: 3.1.2 - 3.2.0

External links

http://github.com/brix/crypto-js/issues/254
http://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
http://github.com/brix/crypto-js/issues/256
http://github.com/brix/crypto-js/compare/3.2.0...3.2.1
http://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
http://security.netapp.com/advisory/ntap-20230706-0003/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###