You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-combot
changed the title
CVE-2023-46233 (Critical) detected in crypto-js-3.3.0.tgz
CVE-2023-46233 (Critical) detected in crypto-js-3.3.0.tgz - autoclosed
May 4, 2024
mend-for-github-combot
changed the title
CVE-2023-46233 (Critical) detected in crypto-js-3.3.0.tgz - autoclosed
CVE-2023-46233 (Critical) detected in crypto-js-3.3.0.tgz
May 4, 2024
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
mend-for-github-combot
changed the title
CVE-2023-46233 (Critical) detected in crypto-js-3.3.0.tgz
CVE-2023-46233 (Critical) detected in crypto-js-3.3.0.tgz - autoclosed
May 19, 2024
CVE-2023-46233 - Critical Severity Vulnerability
Vulnerable Library - crypto-js-3.3.0.tgz
JavaScript library of crypto standards.
Library home page: https://registry.npmjs.org/crypto-js/-/crypto-js-3.3.0.tgz
Path to dependency file: /core/jazz_logout/package.json
Path to vulnerable library: /core/jazz_logout/node_modules/crypto-js/package.json,/core/jazz_login/node_modules/crypto-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 712665b267203375ee4b15e1f8d1ebe08abc1547
Found in base branch: develop
Vulnerability Details
crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.
Publish Date: 2023-10-25
URL: CVE-2023-46233
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-46233
Release Date: 2023-10-25
Fix Resolution: crypto-js - 4.2.0
The text was updated successfully, but these errors were encountered: