Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-asxw-e1d3-ckau
Summary
crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.
Aliases
0
alias CVE-2023-46233
1
alias GHSA-xwcq-pm8m-c4vf
Fixed_packages
0
url pkg:npm/crypto-js@4.2.0
purl pkg:npm/crypto-js@4.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@4.2.0
Affected_packages
0
url pkg:npm/crypto-js@3.1.2-1
purl pkg:npm/crypto-js@3.1.2-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.1.2-1
1
url pkg:npm/crypto-js@3.1.2-2
purl pkg:npm/crypto-js@3.1.2-2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.1.2-2
2
url pkg:npm/crypto-js@3.1.2-3
purl pkg:npm/crypto-js@3.1.2-3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.1.2-3
3
url pkg:npm/crypto-js@3.1.2-4
purl pkg:npm/crypto-js@3.1.2-4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.1.2-4
4
url pkg:npm/crypto-js@3.1.2-5
purl pkg:npm/crypto-js@3.1.2-5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.1.2-5
5
url pkg:npm/crypto-js@3.1.2-6
purl pkg:npm/crypto-js@3.1.2-6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.1.2-6
6
url pkg:npm/crypto-js@3.1.2
purl pkg:npm/crypto-js@3.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.1.2
7
url pkg:npm/crypto-js@3.1.4
purl pkg:npm/crypto-js@3.1.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.1.4
8
url pkg:npm/crypto-js@3.1.5
purl pkg:npm/crypto-js@3.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.1.5
9
url pkg:npm/crypto-js@3.1.6
purl pkg:npm/crypto-js@3.1.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.1.6
10
url pkg:npm/crypto-js@3.1.7
purl pkg:npm/crypto-js@3.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.1.7
11
url pkg:npm/crypto-js@3.1.8
purl pkg:npm/crypto-js@3.1.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.1.8
12
url pkg:npm/crypto-js@3.1.9-1
purl pkg:npm/crypto-js@3.1.9-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.1.9-1
13
url pkg:npm/crypto-js@3.2.0
purl pkg:npm/crypto-js@3.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-ej8z-tdd9-ubhg
2
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.2.0
14
url pkg:npm/crypto-js@3.2.1
purl pkg:npm/crypto-js@3.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.2.1
15
url pkg:npm/crypto-js@3.3.0
purl pkg:npm/crypto-js@3.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-grhg-jqy6-xff2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@3.3.0
16
url pkg:npm/crypto-js@4.0.0
purl pkg:npm/crypto-js@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@4.0.0
17
url pkg:npm/crypto-js@4.1.0
purl pkg:npm/crypto-js@4.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@4.1.0
18
url pkg:npm/crypto-js@4.1.1
purl pkg:npm/crypto-js@4.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/crypto-js@4.1.1
19
url pkg:rpm/redhat/dotnet6.0@6.0.126-1?arch=el8_9
purl pkg:rpm/redhat/dotnet6.0@6.0.126-1?arch=el8_9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2zs5-gfxg-efgb
1
vulnerability VCID-34zm-8prm-abhs
2
vulnerability VCID-asxw-e1d3-ckau
3
vulnerability VCID-xdr5-8wxz-8kh6
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/dotnet6.0@6.0.126-1%3Farch=el8_9
20
url pkg:rpm/redhat/dotnet6.0@6.0.126-1?arch=el9_3
purl pkg:rpm/redhat/dotnet6.0@6.0.126-1?arch=el9_3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2zs5-gfxg-efgb
1
vulnerability VCID-34zm-8prm-abhs
2
vulnerability VCID-asxw-e1d3-ckau
3
vulnerability VCID-xdr5-8wxz-8kh6
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/dotnet6.0@6.0.126-1%3Farch=el9_3
21
url pkg:rpm/redhat/dotnet7.0@7.0.115-1?arch=el9_3
purl pkg:rpm/redhat/dotnet7.0@7.0.115-1?arch=el9_3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2zs5-gfxg-efgb
1
vulnerability VCID-34zm-8prm-abhs
2
vulnerability VCID-asxw-e1d3-ckau
3
vulnerability VCID-xdr5-8wxz-8kh6
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/dotnet7.0@7.0.115-1%3Farch=el9_3
22
url pkg:rpm/redhat/dotnet7.0@7.0.115-1?arch=el8_9
purl pkg:rpm/redhat/dotnet7.0@7.0.115-1?arch=el8_9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2zs5-gfxg-efgb
1
vulnerability VCID-34zm-8prm-abhs
2
vulnerability VCID-asxw-e1d3-ckau
3
vulnerability VCID-xdr5-8wxz-8kh6
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/dotnet7.0@7.0.115-1%3Farch=el8_9
23
url pkg:rpm/redhat/dotnet7.0@7.0.116-1?arch=el8_9
purl pkg:rpm/redhat/dotnet7.0@7.0.116-1?arch=el8_9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-tt8p-ax2m-qyez
2
vulnerability VCID-ysmy-fhmq-ffdu
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/dotnet7.0@7.0.116-1%3Farch=el8_9
24
url pkg:rpm/redhat/dotnet7.0@7.0.116-1?arch=el9_3
purl pkg:rpm/redhat/dotnet7.0@7.0.116-1?arch=el9_3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-asxw-e1d3-ckau
1
vulnerability VCID-tt8p-ax2m-qyez
2
vulnerability VCID-ysmy-fhmq-ffdu
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/dotnet7.0@7.0.116-1%3Farch=el9_3
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46233.json
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46233.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-46233
reference_id
reference_type
scores
0
value 0.00894
scoring_system epss
scoring_elements 0.75521
published_at 2026-04-02T12:55:00Z
1
value 0.00894
scoring_system epss
scoring_elements 0.75551
published_at 2026-04-04T12:55:00Z
2
value 0.01001
scoring_system epss
scoring_elements 0.77036
published_at 2026-04-18T12:55:00Z
3
value 0.01001
scoring_system epss
scoring_elements 0.76993
published_at 2026-04-13T12:55:00Z
4
value 0.01001
scoring_system epss
scoring_elements 0.76998
published_at 2026-04-12T12:55:00Z
5
value 0.01001
scoring_system epss
scoring_elements 0.77019
published_at 2026-04-11T12:55:00Z
6
value 0.01001
scoring_system epss
scoring_elements 0.76991
published_at 2026-04-09T12:55:00Z
7
value 0.01001
scoring_system epss
scoring_elements 0.7698
published_at 2026-04-08T12:55:00Z
8
value 0.01001
scoring_system epss
scoring_elements 0.76948
published_at 2026-04-07T12:55:00Z
9
value 0.01001
scoring_system epss
scoring_elements 0.77034
published_at 2026-04-16T12:55:00Z
10
value 0.01012
scoring_system epss
scoring_elements 0.77157
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-46233
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46233
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46233
3
reference_url https://github.com/brix/crypto-js
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/brix/crypto-js
4
reference_url https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a
5
reference_url https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-46233
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-46233
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055525
reference_id 1055525
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055525
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2246369
reference_id 2246369
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2246369
9
reference_url https://github.com/advisories/GHSA-xwcq-pm8m-c4vf
reference_id GHSA-xwcq-pm8m-c4vf
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xwcq-pm8m-c4vf
10
reference_url https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf
reference_id GHSA-xwcq-pm8m-c4vf
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf
11
reference_url https://access.redhat.com/errata/RHSA-2024:0151
reference_id RHSA-2024:0151
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0151
12
reference_url https://access.redhat.com/errata/RHSA-2024:0156
reference_id RHSA-2024:0156
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0156
13
reference_url https://access.redhat.com/errata/RHSA-2024:0157
reference_id RHSA-2024:0157
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0157
14
reference_url https://access.redhat.com/errata/RHSA-2024:0158
reference_id RHSA-2024:0158
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0158
15
reference_url https://access.redhat.com/errata/RHSA-2024:0805
reference_id RHSA-2024:0805
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0805
16
reference_url https://access.redhat.com/errata/RHSA-2024:0806
reference_id RHSA-2024:0806
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0806
17
reference_url https://usn.ubuntu.com/6753-1/
reference_id USN-6753-1
reference_type
scores
url https://usn.ubuntu.com/6753-1/
Weaknesses
0
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
1
cwe_id 327
name Use of a Broken or Risky Cryptographic Algorithm
description The product uses a broken or risky cryptographic algorithm or protocol.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
3
cwe_id 328
name Use of Weak Hash
description The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
4
cwe_id 916
name Use of Password Hash With Insufficient Computational Effort
description The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
Exploits
Severity_range_score9.0 - 10.0
Exploitability0.5
Weighted_severity9.0
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-asxw-e1d3-ckau