CVE-2023-30590

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-30590

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-30590.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-30590

Aliases

BIT-node-2023-30590

Related

Published

2023-11-28T20:15:07Z

Modified

2024-09-14T20:51:51.451506Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values".

The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

References

Affected packages

Debian:11 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.22.12~dfsg-1~deb11u5

Affected versions

12.*

12.21.0~dfsg-5

12.22.4~dfsg-1

12.22.5~dfsg-1

12.22.5~dfsg-2~11u1

12.22.5~dfsg-2

12.22.5~dfsg-3

12.22.5~dfsg-4

12.22.5~dfsg-5

12.22.5~dfsg-6

12.22.5~dfsg-7

12.22.7~dfsg-1

12.22.7~dfsg-2

12.22.9~dfsg-1

12.22.10~dfsg-1

12.22.10~dfsg-2

12.22.12~dfsg-1~deb11u1

12.22.12~dfsg-1~deb11u2

12.22.12~dfsg-1~deb11u3

12.22.12~dfsg-1~deb11u4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.19.0+dfsg-6~deb12u1

Affected versions

18.*

18.13.0+dfsg1-1

18.13.0+dfsg1-1.1

18.19.0+dfsg-1

18.19.0+dfsg-2

18.19.0+dfsg-3

18.19.0+dfsg-4

18.19.0+dfsg-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.13.0+dfsg1-1.1

Affected versions

18.*

18.13.0+dfsg1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

e7618fb5a5fc25d76b6474e2a6607f04fd6f10e0

Fixed

9869bdc93d7bd8b439c4a2598607ee779483ee53

Affected versions

v20.*

v20.0.0

v20.1.0

v20.2.0

v20.3.0