#VU83993 Use of a broken or risky cryptographic algorithm in crypto-js - CVE-2023-46233


Vulnerability identifier: #VU83993

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-46233

CWE-ID: CWE-327

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
crypto-js
Web applications / JS libraries

Vendor: brix

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to usage of a weak PBKDF2 algorithm. A remote attacker can gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

crypto-js: 3.1.2 - 4.1.1

External links
http://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf
http://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a
http://lists.debian.org/debian-lts-announce/2023/11/msg00025.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


IBM Jazz Foundation update for Brix crypto-js
Ubuntu update for cryptojs
Multiple vulnerabilities in IBM Cloud Pak for Business Automation
IBM Cloud Pak for Watson AIOps update for crypto-js
IBM Process Mining update for crypto-js
Multiple vulnerabilities in IBM Automation Decision Services
Use of a broken or risky cryptographic algorithm in IBM Spectrum Control
Use of a weak cryptographic algorithm in crypto-js