#VU83992 Use of insufficiently random values in crypto-js - CVE-2020-36732
Published: December 8, 2023
Vulnerability identifier: #VU83992
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-36732
CWE-ID: CWE-330
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
crypto-js
crypto-js
Software vendor:
brix
brix
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the application generates random numbers by concatenating the string "0." with an
integer, which makes the output more predictable than necessary. A remote attacker can gain access to sensitive information.
Remediation
Install updates from vendor's website.
External links
- https://github.com/brix/crypto-js/issues/254
- https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
- https://github.com/brix/crypto-js/issues/256
- https://github.com/brix/crypto-js/compare/3.2.0...3.2.1
- https://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
- https://security.netapp.com/advisory/ntap-20230706-0003/