org.webjars.npm:pbkdf2@3.0.17 vulnerabilities

latest version

3.1.2

first published

9 years ago

latest version published

4 years ago

licenses detected

MIT
[3.0.4,)

package registry

View on Maven Central Repository

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:pbkdf2 package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C Generation of Predictable Numbers or Identifiers Affected versions of this package are vulnerable to Generation of Predictable Numbers or Identifiers via the `pbkdf2Sync` method. An attacker can obtain predictable or uninitialized memory as a cryptographic key when key derivation is used with unsupported or non-normalized algorithm names, potentially compromising the security of derived keys in affected environments. How to fix Generation of Predictable Numbers or Identifiers? A fix was pushed into the `master` branch but not yet published.	[0,)
C Generation of Predictable Numbers or Identifiers Affected versions of this package are vulnerable to Generation of Predictable Numbers or Identifiers via the `toBuffer` function. An attacker can predict cryptographic keys that were generated using `Uint8Array` inputs on affected Node.js versions, leading to compromised security of derived keys or passwords. Note: This is only exploitable when used in the environment running `Node.js` or `io.js` in versions lower than 3.0.0. How to fix Generation of Predictable Numbers or Identifiers? A fix was pushed into the `master` branch but not yet published.	[0,)

Generation of Predictable Numbers or Identifiers

Affected versions of this package are vulnerable to Generation of Predictable Numbers or Identifiers via the pbkdf2Sync method. An attacker can obtain predictable or uninitialized memory as a cryptographic key when key derivation is used with unsupported or non-normalized algorithm names, potentially compromising the security of derived keys in affected environments.

How to fix Generation of Predictable Numbers or Identifiers?

A fix was pushed into the master branch but not yet published.

[0,)

Generation of Predictable Numbers or Identifiers

Affected versions of this package are vulnerable to Generation of Predictable Numbers or Identifiers via the toBuffer function. An attacker can predict cryptographic keys that were generated using Uint8Array inputs on affected Node.js versions, leading to compromised security of derived keys or passwords.

Note: This is only exploitable when used in the environment running Node.js or io.js in versions lower than 3.0.0.

How to fix Generation of Predictable Numbers or Identifiers?

A fix was pushed into the master branch but not yet published.

[0,)

Go back to all versions of this package