#VU83992 Use of insufficiently random values in crypto-js


Published: 2023-12-08

Vulnerability identifier: #VU83992

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-36732

CWE-ID: CWE-330

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
crypto-js
Web applications / JS libraries

Vendor: brix

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the application generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary. A remote attacker can gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

crypto-js: 3.1.2 - 3.2.0

External links
http://github.com/brix/crypto-js/issues/254
http://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
http://github.com/brix/crypto-js/issues/256
http://github.com/brix/crypto-js/compare/3.2.0...3.2.1
http://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
http://security.netapp.com/advisory/ntap-20230706-0003/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps
Use of insufficiently random values in crypto-js