CVE-2023-46233
Deserialization of Untrusted Data vulnerability in crypto-js (npm)
What is CVE-2023-46233 About?
This vulnerability is a Deserialization of Untrusted Data issue in Hugging Face Transformers MobileViTV2, allowing remote code execution. Attackers can execute arbitrary code by supplying malicious configuration files to the affected installation. Exploitation requires user interaction, making it moderately difficult.
Affected Software
Technical Details
The flaw exists within the handling of configuration files in Hugging Face Transformers, specifically affecting the MobileViTV2. The vulnerability arises from an insufficient validation of user-supplied data during the deserialization process. An attacker can craft a malicious configuration file containing serialized untrusted data. When this file is processed by the vulnerable application, the deserialization mechanism executes the embedded code, leading to arbitrary code execution in the context of the current user. This typically involves an attacker convincing a user to open a malicious file or visit a malicious page, which then triggers the deserialization.
What is the Impact of CVE-2023-46233?
Successful exploitation may allow attackers to execute arbitrary code, compromise system integrity, gain unauthorized access to sensitive data, or install malicious software.
What is the Exploitability of CVE-2023-46233?
Exploiting this deserialization vulnerability requires user interaction; the target must either visit a malicious web page or open a specially crafted malicious file. This increases the complexity of exploitation as social engineering or phishing tactics may be necessary. There are no explicit authentication or privilege requirements mentioned for the deserialization process itself, meaning a non-privileged user could potentially be a target. The vulnerability can be exploited remotely once the user interaction prerequisite is met. The primary risk factor is the application's processing of untrusted configuration files, making users who frequently handle or open such files more susceptible.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-46233?
About the Fix from Resolved Security
This patch changes the default PBKDF2 configuration from SHA1 with 1 iteration to SHA256 with 250,000 iterations, significantly increasing the computational difficulty of brute-force attacks and eliminating the use of the outdated SHA1 algorithm. This directly fixes CVE-2023-46233, which is a vulnerability due to weak default PBKDF2 parameters that could allow attackers to quickly guess or crack derived keys. By enforcing a strong hash function and a high iteration count, the patch aligns with current cryptographic best practices and mitigates the risk of key derivation attacks.
Available Upgrade Options
- crypto-js
- <4.2.0 → Upgrade to 4.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html
- https://osv.dev/vulnerability/GHSA-xwcq-pm8m-c4vf
- https://nvd.nist.gov/vuln/detail/CVE-2023-46233
- https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf
- https://github.com/brix/crypto-js
- https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a
- https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html
- https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf
- https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a
What are Similar Vulnerabilities to CVE-2023-46233?
Similar Vulnerabilities: CVE-2023-49070 , CVE-2023-48633 , CVE-2023-48630 , CVE-2023-48632 , CVE-2023-48634
