Use of insufficiently random values in crypto-js - CVE-2020-36732
Published: December 8, 2023
Vulnerability identifier: #VU83992
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-36732
CWE-ID: CWE-330
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: brix
Affected software:
crypto-js
crypto-js
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the application generates random numbers by concatenating the string "0." with an
integer, which makes the output more predictable than necessary. A remote attacker can gain access to sensitive information.
How to mitigate CVE-2020-36732
Install updates from vendor's website.
Sources
- https://github.com/brix/crypto-js/issues/254
- https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
- https://github.com/brix/crypto-js/issues/256
- https://github.com/brix/crypto-js/compare/3.2.0...3.2.1
- https://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
- https://security.netapp.com/advisory/ntap-20230706-0003/