Upstream information
CVE-2023-46233 at MITRE
Description
crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.
Overall state of this security issue: Resolved
This issue is currently rated as having critical severity.
CVSS v3 Scores
| CVSS detail | National Vulnerability Database |
|---|
| Base Score | 9.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | None |
| CVSSv3 Version | 3.1 |
No SUSE Bugzilla entries cross referenced.
No SUSE Security Announcements cross referenced.
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|
| SUSE Liberty Linux 8 | aspnetcore-runtime-6.0 >= 6.0.26-1.el8_9aspnetcore-runtime-7.0 >= 7.0.16-1.el8_9aspnetcore-targeting-pack-6.0 >= 6.0.26-1.el8_9aspnetcore-targeting-pack-7.0 >= 7.0.16-1.el8_9dotnet-apphost-pack-6.0 >= 6.0.26-1.el8_9dotnet-apphost-pack-7.0 >= 7.0.16-1.el8_9dotnet-hostfxr-6.0 >= 6.0.26-1.el8_9dotnet-hostfxr-7.0 >= 7.0.16-1.el8_9dotnet-runtime-6.0 >= 6.0.26-1.el8_9dotnet-runtime-7.0 >= 7.0.16-1.el8_9dotnet-sdk-6.0 >= 6.0.126-1.el8_9dotnet-sdk-6.0-source-built-artifacts >= 6.0.126-1.el8_9dotnet-sdk-7.0 >= 7.0.116-1.el8_9dotnet-sdk-7.0-source-built-artifacts >= 7.0.116-1.el8_9dotnet-targeting-pack-6.0 >= 6.0.26-1.el8_9dotnet-targeting-pack-7.0 >= 7.0.16-1.el8_9dotnet-templates-6.0 >= 6.0.126-1.el8_9dotnet-templates-7.0 >= 7.0.116-1.el8_9
| Patchnames:
RHSA-2024:0157
RHSA-2024:0158
RHSA-2024:0806 |
| SUSE Liberty Linux 9 | aspnetcore-runtime-6.0 >= 6.0.26-1.el9_3aspnetcore-runtime-7.0 >= 7.0.16-1.el9_3aspnetcore-targeting-pack-6.0 >= 6.0.26-1.el9_3aspnetcore-targeting-pack-7.0 >= 7.0.16-1.el9_3dotnet-apphost-pack-6.0 >= 6.0.26-1.el9_3dotnet-apphost-pack-7.0 >= 7.0.16-1.el9_3dotnet-hostfxr-6.0 >= 6.0.26-1.el9_3dotnet-hostfxr-7.0 >= 7.0.16-1.el9_3dotnet-runtime-6.0 >= 6.0.26-1.el9_3dotnet-runtime-7.0 >= 7.0.16-1.el9_3dotnet-sdk-6.0 >= 6.0.126-1.el9_3dotnet-sdk-6.0-source-built-artifacts >= 6.0.126-1.el9_3dotnet-sdk-7.0 >= 7.0.116-1.el9_3dotnet-sdk-7.0-source-built-artifacts >= 7.0.116-1.el9_3dotnet-targeting-pack-6.0 >= 6.0.26-1.el9_3dotnet-targeting-pack-7.0 >= 7.0.16-1.el9_3dotnet-templates-6.0 >= 6.0.126-1.el9_3dotnet-templates-7.0 >= 7.0.116-1.el9_3
| Patchnames:
RHSA-2024:0151
RHSA-2024:0156
RHSA-2024:0805 |
SUSE Timeline for this CVE
CVE page created: Thu Oct 26 00:02:25 2023
CVE page last modified: Fri Apr 10 17:14:38 2026
