CVE-2023-46233 Information

Description

crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0 crypto-js PBKDF2 is 1000 times weaker than originally specified in 1993 and at least 1300000 times weaker than current industry standard. This is because it both defaults to SHA1 a cryptographic hash algorithm considered insecure since at least 2005 and defaults to one single iteration a ‘strength’ or ‘difficulty’ value specified at 1000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords the impact is high. If used to generate signatures the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround configure crypto-js to use SHA256 with at least 250000 iterations.

Reference

https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a