CVE-2020-36732

Опубликовано: 12 июн. 2023

Источник: nvd

CVSS3: 5.3

EPSS Низкий

Описание

The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.

Ссылки

https://github.com/brix/crypto-js/compare/3.2.0...3.2.1
Release Notes
https://github.com/brix/crypto-js/issues/254
Issue Tracking
Vendor Advisory
https://github.com/brix/crypto-js/issues/256
Issue Tracking
Patch
Vendor Advisory
https://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
Patch
https://security.netapp.com/advisory/ntap-20230706-0003/
https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
Third Party Advisory
https://github.com/brix/crypto-js/compare/3.2.0...3.2.1
Release Notes
https://github.com/brix/crypto-js/issues/254
Issue Tracking
Vendor Advisory
https://github.com/brix/crypto-js/issues/256
Issue Tracking
Patch
Vendor Advisory
https://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
Patch
https://security.netapp.com/advisory/ntap-20230706-0003/
https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:crypto-js_project:crypto-js:*:*:*:*:*:*:*:*

Версия до 3.2.1 (исключая)

EPSS

Процентиль: 77%

0.01061

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-330

CWE-331

Связанные уязвимости

CVE-2020-36732

CVSS3: 5.3

ubuntu

больше 2 лет назад

The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.

GHSA-3w3w-pxmm-2w2j

CVSS3: 5.3

github

больше 2 лет назад

crypto-js uses insecure random numbers

EPSS

Процентиль: 77%

0.01061

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-330

CWE-331