Closed tjcinnamon closed 6 months ago
or more generally updating many of the libraries suggested via npm. Also, the js-crypto was was recommend by SNYK
@Sneezry
Thanks for the issue. We will get to this after the holidays, currently very busy.
Thanks for the issue. We will get to this after the holidays, currently very busy.
no worries! I love this software and appreciate your time and effort.
@tjcinnamon could you describe how this CVE affects us (outside of being bad practice)? We use argon2-browser for our password hashing. To my knowledge we don't use cryptojs pbkdf2 anywhere in the extension.
I ran a Snyk scan on the repo and that's what it came up with. It could be a false positive. However, I did download the source and saw that library referenced. But perhaps, as you pointed out, it's not actually used.
On Tue, Jan 2, 2024 at 11:39 PM Brendan Early @.***> wrote:
@tjcinnamon https://github.com/tjcinnamon could you describe how this CVE affects us? We use argon2-browser for our password hashing. To my knowledge we don't use cryptojs pbkdf2 anywhere in the extension.
— Reply to this email directly, view it on GitHub https://github.com/Authenticator-Extension/Authenticator/issues/1137#issuecomment-1874873652, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGJSA42I3DNN3RT5CLK2ADDYMTVITAVCNFSM6AAAAABA3Z22I6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZUHA3TGNRVGI . You are receiving this because you were mentioned.Message ID: @.***>
looks like it's in the package.json file. So not referenced in code just the json file.
On Wed, Jan 3, 2024 at 10:25 AM Joe K @.***> wrote:
I ran a Snyk scan on the repo and that's what it came up with. It could be a false positive. However, I did download the source and saw that library referenced. But perhaps, as you pointed out, it's not actually used.
On Tue, Jan 2, 2024 at 11:39 PM Brendan Early @.***> wrote:
@tjcinnamon https://github.com/tjcinnamon could you describe how this CVE affects us? We use argon2-browser for our password hashing. To my knowledge we don't use cryptojs pbkdf2 anywhere in the extension.
— Reply to this email directly, view it on GitHub https://github.com/Authenticator-Extension/Authenticator/issues/1137#issuecomment-1874873652, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGJSA42I3DNN3RT5CLK2ADDYMTVITAVCNFSM6AAAAABA3Z22I6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZUHA3TGNRVGI . You are receiving this because you were mentioned.Message ID: @.***>
I'm happy that we aren't affected by this. To be clear, we do use crypto-js, but just for random values and AES encryption and decryption. e.g.: https://github.com/Authenticator-Extension/Authenticator/blob/d1bae1d8a202788a0440e201db8a629f6a1c0d8e/src/store/Accounts.ts#L221
Describe the issue
Please update crypto-js to: crypto-js@4.2.0
https://www.cve.org/CVERecord?id=CVE-2023-46233
Browser
Firefox
Browser Version
120
Extension Version
6.3.5