Vulnerability Details CVE-2020-36732
The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 67.8%
CVSS Severity
CVSS v3 Score 5.3
References
- https://github.com/brix/crypto-js/compare/3.2.0...3.2.1
- https://github.com/brix/crypto-js/issues/254
- https://github.com/brix/crypto-js/issues/256
- https://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
- https://security.netapp.com/advisory/ntap-20230706-0003/
- https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
- https://github.com/brix/crypto-js/compare/3.2.0...3.2.1
- https://github.com/brix/crypto-js/issues/254
- https://github.com/brix/crypto-js/issues/256
- https://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
- https://security.netapp.com/advisory/ntap-20230706-0003/
- https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
Products affected by CVE-2020-36732
-
cpe:2.3:a:crypto-js_project:crypto-js:3.1.2
-
cpe:2.3:a:crypto-js_project:crypto-js:3.1.2-1
-
cpe:2.3:a:crypto-js_project:crypto-js:3.1.2-2
-
cpe:2.3:a:crypto-js_project:crypto-js:3.1.2-3
-
cpe:2.3:a:crypto-js_project:crypto-js:3.1.2-4
-
cpe:2.3:a:crypto-js_project:crypto-js:3.1.2-5
-
cpe:2.3:a:crypto-js_project:crypto-js:3.1.3
-
cpe:2.3:a:crypto-js_project:crypto-js:3.1.4
-
cpe:2.3:a:crypto-js_project:crypto-js:3.1.5
-
cpe:2.3:a:crypto-js_project:crypto-js:3.1.6
-
cpe:2.3:a:crypto-js_project:crypto-js:3.1.7
-
cpe:2.3:a:crypto-js_project:crypto-js:3.1.8
-
cpe:2.3:a:crypto-js_project:crypto-js:3.1.9
-
cpe:2.3:a:crypto-js_project:crypto-js:3.1.9-1
-
cpe:2.3:a:crypto-js_project:crypto-js:3.2.0