CVE-2020-36732
Severity CVSS v4.0:
Pending analysis
Type:
CWE-330
Use of Insufficiently Random Value
Publication date:
12/06/2023
Last modified:
06/01/2025
Description
The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:crypto-js_project:crypto-js:*:*:*:*:*:*:*:* | 3.2.1 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/brix/crypto-js/compare/3.2.0...3.2.1
- https://github.com/brix/crypto-js/issues/254
- https://github.com/brix/crypto-js/issues/256
- https://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
- https://security.netapp.com/advisory/ntap-20230706-0003/
- https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
- https://github.com/brix/crypto-js/compare/3.2.0...3.2.1
- https://github.com/brix/crypto-js/issues/254
- https://github.com/brix/crypto-js/issues/256
- https://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
- https://security.netapp.com/advisory/ntap-20230706-0003/
- https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472