CVE-2023-2005
published 2023-06-26CVE-2023-2005: Vulnerability in Tenable Tenable.Io, Tenable Nessus, Tenable Security Center.This issue affects Tenable.Io: before Plugin Feed ID #202306261202 ; Nessus…
PriorityP348high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.38%
29.6th percentile
Vulnerability in Tenable Tenable.Io, Tenable Nessus, Tenable Security Center.This issue affects Tenable.Io: before Plugin Feed ID #202306261202 ; Nessus: before Plugin Feed ID #202306261202 ; Security Center: before Plugin Feed ID #202306261202 .
This vulnerability could allow a malicious actor with sufficient permissions on a scan target to place a binary in a specific filesystem location, and abuse the impacted plugin in order to escalate privileges.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crypto-js_project | crypto-js | >= 0 < 4.2.0 | 4.2.0 |
| entronad | crypto-es | >= 0 < 2.1.0 | 2.1.0 |
| tenable | nessus | < Plugin Feed ID #202306261202 | Plugin Feed ID #202306261202 |
| tenable | security_center | < Plugin Feed ID #202306261202 | Plugin Feed ID #202306261202 |
| tenable | tenable.io | < Plugin Feed ID #202306261202 | Plugin Feed ID #202306261202 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
ghsa·2023-10-25
CVE-2023-46133 [CRITICAL] CWE-327 crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
### Impact
#### Summary
Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current industry standard][OWASP PBKDF2 Cheatsheet]. This is because it both (1) defaults to [SHA1][SHA1 wiki], a cryptographic hash algorithm considered insecure [since at least 2005][Cryptanalysis of SHA-1] and (2) defaults to [one single iteration][one iteration src], a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to [preimage][preimage attack] and [collision][collision attack] attacks. Remediation of this issue might be very difficult, as the changes required to f
GHSA
crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
ghsa·2023-10-25
CVE-2023-46233 [CRITICAL] CWE-327 crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
### Impact
#### Summary
Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current industry standard][OWASP PBKDF2 Cheatsheet]. This is because it both (1) defaults to [SHA1][SHA1 wiki], a cryptographic hash algorithm considered insecure [since at least 2005][Cryptanalysis of SHA-1] and (2) defaults to [one single iteration][one iteration src], a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to [preimage][preimage attack] and [collision][collision attack] attacks.
Potential Impact:
1. If used to protect passwords, the impact is high.
2. If
GHSA
GHSA-rx3v-c929-952g: Vulnerability in Tenable Tenable
ghsa_unreviewed·2023-06-26
CVE-2023-2005 [HIGH] CWE-427 GHSA-rx3v-c929-952g: Vulnerability in Tenable Tenable
Vulnerability in Tenable Tenable.Io, Tenable Nessus, Tenable Security Center.This issue affects Tenable.Io: before Plugin Feed ID #202306261202 ; Nessus: before Plugin Feed ID #202306261202 ; Security Center: before Plugin Feed ID #202306261202 .
This vulnerability could allow a malicious actor with sufficient permissions on a scan target to place a binary in a specific filesystem location, and abuse the impacted plugin in order to escalate privileges.
Red Hat
crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
vendor_redhat·2023-10-25·CVSS 9.1
CVE-2023-46233 [CRITICAL] CWE-328 crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a wo
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-06-26
Published