MEDIUM 5.3 npm
crypto-js uses insecure random numbers
GHSA-3w3w-pxmm-2w2j · CVE-2020-36732
Published · Modified
Description
The crypto-js package 3.2.0 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-36732
- WEB https://github.com/brix/crypto-js/issues/254
- WEB https://github.com/brix/crypto-js/issues/256
- WEB https://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
- WEB https://github.com/brix/crypto-js/commit/b405ff597fb3ac76a7bdfbc72dca10ba1079b1d5
- WEB https://github.com/brix/crypto-js/commit/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
- PACKAGE https://github.com/brix/crypto-js
- WEB https://github.com/brix/crypto-js/compare/3.2.0...3.2.1
- WEB https://security.netapp.com/advisory/ntap-20230706-0003
- WEB https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
Ready to move
Start Securing
Free, no credit card | First findings in minutes