Upstream information

CVE-2023-46233 at MITRE

Description

crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having critical severity.

CVSS v3 Scores
  National Vulnerability Database
Base Score 9.1
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact High
Integrity Impact High
Availability Impact None
CVSSv3 Version 3.1
No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
SUSE Liberty Linux 9
  • aspnetcore-runtime-7.0 >= 7.0.16-1.el9_3
  • aspnetcore-targeting-pack-7.0 >= 7.0.16-1.el9_3
  • dotnet-apphost-pack-7.0 >= 7.0.16-1.el9_3
  • dotnet-hostfxr-7.0 >= 7.0.16-1.el9_3
  • dotnet-runtime-7.0 >= 7.0.16-1.el9_3
  • dotnet-sdk-7.0 >= 7.0.116-1.el9_3
  • dotnet-sdk-7.0-source-built-artifacts >= 7.0.116-1.el9_3
  • dotnet-targeting-pack-7.0 >= 7.0.16-1.el9_3
  • dotnet-templates-7.0 >= 7.0.116-1.el9_3
 Patchnames:
RHSA-2024:0805

SUSE Timeline for this CVE

CVE page created: Thu Oct 26 00:02:25 2023
CVE page last modified: Wed Jul 10 19:49:12 2024