aws / aws-sigv4-auth-cassandra-nodejs-driver-plugin

A SigV4 authentication client side plugin for the open-source DataStax NodeJS Driver for Apache Cassandra. Allows use of IAM users and roles.

Apache License 2.0

5 stars 16 forks source link

feat(pkg): update version of crypto-js #17

Open kbakdev opened 9 months ago

kbakdev commented 9 months ago

This pull request updates the crypto-js library in package.json to version 4.2.0.

This update addresses a critical security vulnerability found in the previous version related to the PBKDF2 function.

The older version defaulted to the SHA1 hash algorithm and used only a single iteration for key derivation, significantly weakening the cryptographic strength.

kbakdev commented 9 months ago

References

https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf

CVE

CVE-2023-46233