Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2020-36732 |
CWE-ID | CWE-330 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
crypto-js Web applications / JS libraries |
Vendor | brix |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU83992
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-36732
CWE-ID:
CWE-330 - Use of Insufficiently Random Values
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the application generates random numbers by concatenating the string "0." with an
integer, which makes the output more predictable than necessary. A remote attacker can gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionscrypto-js: 3.1.2 - 3.2.0
External linkshttp://github.com/brix/crypto-js/issues/254
http://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
http://github.com/brix/crypto-js/issues/256
http://github.com/brix/crypto-js/compare/3.2.0...3.2.1
http://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
http://security.netapp.com/advisory/ntap-20230706-0003/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.