Skip to main content
J
Janaki30364817ulno
Participating Frequently
August 6, 2024
Answered

Re: CryptoJS v3.1.2 vulnerability

  • August 6, 2024
  • 2 replies
  • 2693 views

Currently, I am using CryptoJS v3.1.2 Library file which has vulnerabilty. How to mitigate this issue in Coldfusion?

    This topic has been closed for replies.
    Correct answer BKBK

    I tried with Stanford Javascript Crypto Library to encrypt, but unable to decrypt in coldfusion.
    Could you give me a sample code

     


    Could you share your code, together with comments on what you wish to achieve? Then we'll know what to test.

    2 replies

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    August 7, 2024

    @Janaki30364817ulno , why do you even continue to use Javascript for encryption and decryption in a ColdFusion application? I would suggest you do away with Javascript encryption altogether.

     

    Nowadays, ColdFusion has its own in-built encryption/decryption library. The encryption is powerful. Also, using it automatically offers you the advantage of Adobe's upgrades and updates. 

     

    The following example conveys the flavour of ColdFusion's encryption/decryption library:

     

    <!--- Tested on ColdFusion 2023 --->
<cfset plainText = "Hello, World!">
<cfset secretKey = generateSecretKey("AES",256)>
<cfset algorithm = "AES/CBC/PKCS5Padding">
<cfset encryptedText = encrypt(plainText, secretKey, algorithm, "hex")>
<cfset decryptedText = decrypt(encryptedText, secretKey, algorithm, "hex")>

<cfoutput>
    Encrypted Text: #encryptedText#<br>
    Decrypted Text: #decryptedText#
</cfoutput>

     

     

     

    J
    Janaki30364817ulnoAuthor
    Participating Frequently
    August 14, 2024

    I would like to do client side encryption to hide the credit card information in payload so i used this logic in client side encryption using javascript and server side decryption in coldfusion. We have implemented this logic in CryptoJS 3.1.2 which has vulnerabilites and latest version of CryptoJS 4.2.0 also discontinued. I want to hide the credit card in payload. What's the best way to implement this logic in Coldfusion?

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    August 14, 2024

    CryptoJS is client-side, with the client, usually the browser, as domain. Whereas, ColdFusion is server-side, with the server as domain.

     

    So we should not expect ColdFusion to be responsible for a client-side task such as "hide the credit card in payload".  As CryptoJS has been discontinued,  an obvious solution is to:

    • Get a client-side alternative to CryptoJS. A quick search on the web gives Stanford Javascript Crypto Library, JSEncrypt and Web Cryptography API. 
    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    August 6, 2024

    I'm pretty sure this isn't included with ColdFusion. So I don't think you can mitigate it in ColdFusion. It's a Node.js package I think.

     

    https://security.snyk.io/package/npm/crypto-js/3.1.2

     

    https://github.com/brix/crypto-js - apparently it's now discontinued in favor of the Crypto module built into Node.js

     

    Dave Watts, Eidolon LLC

    Dave Watts, Eidolon LLC
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices