search

Authenticator-Extension / Authenticator

Authenticator generates 2-Step Verification codes in your browser.
https://authenticator.cc
MIT License
3.09k stars 728 forks source link

crypto-js - Use of Weak Hash #1137

Closed tjcinnamon closed 6 months ago

tjcinnamon commented 6 months ago

Describe the issue

Please update crypto-js to: crypto-js@4.2.0

https://www.cve.org/CVERecord?id=CVE-2023-46233

Browser

Firefox

Browser Version

120

Extension Version

6.3.5

tjcinnamon commented 6 months ago

or more generally updating many of the libraries suggested via npm. Also, the js-crypto was was recommend by SNYK

tjcinnamon commented 6 months ago

@Sneezry

mymindstorm commented 6 months ago

Thanks for the issue. We will get to this after the holidays, currently very busy.

tjcinnamon commented 6 months ago

Thanks for the issue. We will get to this after the holidays, currently very busy.

no worries! I love this software and appreciate your time and effort.

mymindstorm commented 6 months ago

@tjcinnamon could you describe how this CVE affects us (outside of being bad practice)? We use argon2-browser for our password hashing. To my knowledge we don't use cryptojs pbkdf2 anywhere in the extension.

tjcinnamon commented 6 months ago

I ran a Snyk scan on the repo and that's what it came up with. It could be a false positive. However, I did download the source and saw that library referenced. But perhaps, as you pointed out, it's not actually used.

On Tue, Jan 2, 2024 at 11:39 PM Brendan Early @.***> wrote:

@tjcinnamon https://github.com/tjcinnamon could you describe how this CVE affects us? We use argon2-browser for our password hashing. To my knowledge we don't use cryptojs pbkdf2 anywhere in the extension.

— Reply to this email directly, view it on GitHub https://github.com/Authenticator-Extension/Authenticator/issues/1137#issuecomment-1874873652, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGJSA42I3DNN3RT5CLK2ADDYMTVITAVCNFSM6AAAAABA3Z22I6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZUHA3TGNRVGI . You are receiving this because you were mentioned.Message ID: @.***>

tjcinnamon commented 6 months ago

looks like it's in the package.json file. So not referenced in code just the json file.

On Wed, Jan 3, 2024 at 10:25 AM Joe K @.***> wrote:

I ran a Snyk scan on the repo and that's what it came up with. It could be a false positive. However, I did download the source and saw that library referenced. But perhaps, as you pointed out, it's not actually used.

On Tue, Jan 2, 2024 at 11:39 PM Brendan Early @.***> wrote:

@tjcinnamon https://github.com/tjcinnamon could you describe how this CVE affects us? We use argon2-browser for our password hashing. To my knowledge we don't use cryptojs pbkdf2 anywhere in the extension.

— Reply to this email directly, view it on GitHub https://github.com/Authenticator-Extension/Authenticator/issues/1137#issuecomment-1874873652, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGJSA42I3DNN3RT5CLK2ADDYMTVITAVCNFSM6AAAAABA3Z22I6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZUHA3TGNRVGI . You are receiving this because you were mentioned.Message ID: @.***>

mymindstorm commented 6 months ago

I'm happy that we aren't affected by this. To be clear, we do use crypto-js, but just for random values and AES encryption and decryption. e.g.: https://github.com/Authenticator-Extension/Authenticator/blob/d1bae1d8a202788a0440e201db8a629f6a1c0d8e/src/store/Accounts.ts#L221