#VU83992 Use of insufficiently random values in crypto-js - CVE-2020-36732

Cybersecurity Help s.r.o.

Published: 2023-12-08

Vulnerability identifier: #VU83992

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-36732

CWE-ID: CWE-330

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
crypto-js
Web applications / JS libraries

Vendor: brix

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the application generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary. A remote attacker can gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

crypto-js: 3.1.2 - 3.2.0

External links
https://github.com/brix/crypto-js/issues/254
https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
https://github.com/brix/crypto-js/issues/256
https://github.com/brix/crypto-js/compare/3.2.0...3.2.1
https://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
https://security.netapp.com/advisory/ntap-20230706-0003/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps

Use of insufficiently random values in crypto-js