Authenticator-Extension / Authenticator

Describe the issue

Please update crypto-js to: crypto-js@4.2.0

https://www.cve.org/CVERecord?id=CVE-2023-46233

Browser

Firefox

Browser Version

120

Extension Version

6.3.5

or more generally updating many of the libraries suggested via npm. Also, the js-crypto was was recommend by SNYK

@Sneezry

Thanks for the issue. We will get to this after the holidays, currently very busy.

Thanks for the issue. We will get to this after the holidays, currently very busy.

no worries! I love this software and appreciate your time and effort.

@tjcinnamon could you describe how this CVE affects us (outside of being bad practice)? We use argon2-browser for our password hashing. To my knowledge we don't use cryptojs pbkdf2 anywhere in the extension.

I ran a Snyk scan on the repo and that's what it came up with. It could be a false positive. However, I did download the source and saw that library referenced. But perhaps, as you pointed out, it's not actually used.

…

On Tue, Jan 2, 2024 at 11:39 PM Brendan Early ***@***.***> wrote: @tjcinnamon <https://github.com/tjcinnamon> could you describe how this CVE affects us? We use argon2-browser for our password hashing. To my knowledge we don't use cryptojs pbkdf2 anywhere in the extension. — Reply to this email directly, view it on GitHub <#1137 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGJSA42I3DNN3RT5CLK2ADDYMTVITAVCNFSM6AAAAABA3Z22I6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZUHA3TGNRVGI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

looks like it's in the package.json file. So not referenced in code just the json file.

…

On Wed, Jan 3, 2024 at 10:25 AM Joe K ***@***.***> wrote: I ran a Snyk scan on the repo and that's what it came up with. It could be a false positive. However, I did download the source and saw that library referenced. But perhaps, as you pointed out, it's not actually used. On Tue, Jan 2, 2024 at 11:39 PM Brendan Early ***@***.***> wrote: > @tjcinnamon <https://github.com/tjcinnamon> could you describe how this > CVE affects us? We use argon2-browser for our password hashing. To my > knowledge we don't use cryptojs pbkdf2 anywhere in the extension. > > — > Reply to this email directly, view it on GitHub > <#1137 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AGJSA42I3DNN3RT5CLK2ADDYMTVITAVCNFSM6AAAAABA3Z22I6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZUHA3TGNRVGI> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

I'm happy that we aren't affected by this. To be clear, we do use crypto-js, but just for random values and AES encryption and decryption. e.g.:

Authenticator/src/store/Accounts.ts

Line 221 in d1bae1d

const wordArray = CryptoJS.lib.WordArray.random(120);

crypto-js - Use of Weak Hash

Describe the issue

Browser

Browser Version

Extension Version