CVE-2023-46233

crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard

crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.


We have discovered 17,571 live websites that are affected by CVE-2023-46233.

Contact us to get more info




Affected Software

Product  crypto-js
Category JavaScript Libraries
Vulnerable Domains17,571 live websites (97.57% of crypto-js install base)
Vulnerable Versions
  • from 0 before 4.2
Vulnerable Versions Count15 versions ( 93.75% of all versions)


Common Weakness Enumeration

CWE-328 Use of Weak Hash



Details

  • Published - Oct 25, 2023
  • Updated - Aug 2, 2024

CVE-2023-46233 usage by Country

United States13,916 websites



France661 websites
Italy400 websites
Korea, South248 websites
China179 websites
Germany167 websites
Singapore159 websites
Netherlands151 websites
Hong Kong135 websites
GB134 websites

CVE-2023-46233 usage by TLD

.com7,178 websites
.net4,774 websites
.org1,809 websites
.it302 websites
.fr259 websites
.com.br225 websites
.de143 websites
.co.uk105 websites
.io96 websites
.com.au79 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2023-46233

Top websites that are affected by CVE-2023-46233. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
***.***.au United States*,***
******.com United States*,***
*********.com United States*,***
***.com United States*,***
****.*********.com United States*,***
********.org United States*,***
****.com Hong Kong*,***
******.***.au United States*,***
***********.com United States*,***
*******.net United States**,***
See full domain list

FAQ

CVE-2023-46233 is Use of Weak Hash in crypto-js
A total of 17,571 websites have been identified as vulnerable to CVE-2023-46233, discovered through global website indexing conducted by WebTechSurvey.
crypto-js is susceptible to CVE-2023-46233 vulnerability.
crypto-js versions before 4.2 are vulnerable to CVE-2023-46233.
Version 4.2 of crypto-js addresses the CVE-2023-46233 security vulnerability.