CVE-2023-30590

EPSS 0.64%
Published 28.11.2023 20:15:07
Last modified 21.11.2024 08:00:28
Source support@hackerone.com
Teams watchlist Login
Open Login

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values".

The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

Affected products Warnungen 0 Metrics 2 CWE 0 References 5

Data is provided by the National Vulnerability Database (NVD)

Nodejs ≫ Node.Js Version >= 16.0.0 < 16.20.1

Nodejs ≫ Node.Js Version >= 18.0.0 < 18.16.1

Nodejs ≫ Node.Js Version >= 20.0.0 < 20.3.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.64%	0.696

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

https://nodejs.org/en/blog/vulnerability/june-2023-security-releases

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html

https://nvd.nist.gov/vuln/detail/CVE-2023-30590

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-30590

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-30590

EUVD