CVE-2020-36732

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.

*Credits: N/A

CVSS Scores

NISTv3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-06-12 CVE Reserved
2023-06-12 CVE Published
2024-04-14 First Exploit
2024-08-04 CVE Updated
2024-09-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-330: Use of Insufficiently Random Values

CAPEC

References (8)

URL	Tag	Source
https://github.com/brix/crypto-js/compare/3.2.0...3.2.1	Release Notes
https://security.netapp.com/advisory/ntap-20230706-0003
https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472	Third Party Advisory

URL	Date	SRC
https://github.com/miguelc49/CVE-2020-36732-2	2024-04-14
https://github.com/miguelc49/CVE-2020-36732-1	2024-04-14

URL	Date	SRC
https://github.com/brix/crypto-js/issues/256	2023-07-06
https://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b	2023-07-06

URL	Date	SRC
https://github.com/brix/crypto-js/issues/254	2023-07-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Crypto-js Project Search vendor "Crypto-js Project"		Crypto-js Search vendor "Crypto-js Project" for product "Crypto-js"				< 3.2.1 Search vendor "Crypto-js Project" for product "Crypto-js" and version " < 3.2.1"		-		Affected