PT-2023-4527 · Node.Js+10 · Node.Js+10

Ben Smyth

·

Published

2023-06-20

·

Updated

2025-02-13

·

CVE-2023-30590

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Node.js (affected versions not specified)
Description The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Weakness Enumeration

CWE-1068

Related Identifiers

ALSA-2023:4330
ALSA-2023:4331
ALSA-2023:4536
ALSA-2023:4537
ALT-PU-2023-4642
ALT-PU-2024-14696
ALT-PU-2025-2007
ALT-PU-2025-2047
BDU:2023-04930
BIT-NODE-2023-30590
BIT-NODE-MIN-2023-30590
CESA-2023_4536
CESA-2023_4537
CVE-2023-30590
DLA-3776-1
DLA-3886-1
DSA-5589-1
MGASA-2023-0226
OESA-2023-1551
OPENSUSE-SU-2023_3408-1
OPENSUSE-SU-2023_3455-1
OPENSUSE-SU-2024:13021-1
RHSA-2023:4330
RHSA-2023:4331
RHSA-2023:4536
RHSA-2023:4537
RHSA-2023:5361
RHSA-2023:5533
RHSA-2023_4330
RHSA-2023_4331
RHSA-2023_4536
RHSA-2023_4537
RLSA-2023:4536
RLSA-2023:4537
SUSE-SU-2023:2655-1
SUSE-SU-2023:2662-1
SUSE-SU-2023:2663-1
SUSE-SU-2023:2669-1
SUSE-SU-2023:2861-1
SUSE-SU-2023:3306-1
SUSE-SU-2023:3408-1
SUSE-SU-2023:3455-1
USN-6735-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Node.Js
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu