SCA: security update for crypto-es (GHSA-mpj8-q39x-wq5h)

critical Tenable Cloud Security Plugin ID 417061

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0,
CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times
weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash
algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or
'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a
countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If
used to generate signatures, the impact is high. Version 2.1.0 contains a patch for this issue. As a
workaround, configure CryptoES to use SHA256 with at least 250,000 iterations. (CVE-2023-46133)

See Also

https://github.com/advisories/GHSA-mpj8-q39x-wq5h

Plugin Details

Severity: Critical

ID: 417061

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.37

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2023-46133

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/25/2023

Vulnerability Publication Date: 10/25/2023

Reference Information

CVE: CVE-2023-46133