Description
Versions of simple-crypto-js prior to 2.3.0 use AES-CBC with PKCS#7 padding, which is vulnerable to padding oracle attacks. This may allow attackers to break the encryption and access sensitive data.
Recommendation
Update the simple-crypto-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.3.0
- Patched version(s): 2.3.0
References
Related Issues
- Insecure password handling vulnerability in Strapi - CVE-2021-46440
- crypto-js uses insecure random numbers - CVE-2020-36732
- Insecure Default Configuration in tesseract.js - Vulnerability
- Insecure Default Configuration in redbird - Vulnerability
- Tags:
- npm
- simple-crypto-js
Anything's wrong? Let us know Last updated on April 17, 2023