CVE-2023-30590

nodejs: DiffieHellman do not generate keys after setting a private key

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values".

The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.

La función API generateKeys() devuelta por crypto.createDiffieHellman() solo genera claves faltantes (o desactualizadas), es decir, solo genera una clave privada si aún no se ha configurado ninguna, pero la función también es necesaria para calcular la clave pública correspondiente. después de llamar a setPrivateKey(). Sin embargo, la documentación dice que esta llamada API: "Genera valores de clave Diffie-Hellman públicos y privados". El comportamiento documentado es muy diferente del comportamiento real, y esta diferencia podría conducir fácilmente a problemas de seguridad en las aplicaciones que utilizan estas API, ya que DiffieHellman puede usarse como base para la seguridad a nivel de aplicación; en consecuencia, las implicaciones son amplias.

A vulnerability has been identified in the Node.js, where a generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-04-13 CVE Reserved
2023-07-31 CVE Published
2023-12-05 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases	2024-03-27
https://access.redhat.com/security/cve/CVE-2023-30590	2023-10-09
https://bugzilla.redhat.com/show_bug.cgi?id=2219842	2023-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 16.0.0 < 16.20.1 Search vendor "Nodejs" for product "Node.js" and version " >= 16.0.0 < 16.20.1"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 18.0.0 < 18.16.1 Search vendor "Nodejs" for product "Node.js" and version " >= 18.0.0 < 18.16.1"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 20.0.0 < 20.3.1 Search vendor "Nodejs" for product "Node.js" and version " >= 20.0.0 < 20.3.1"		-		Affected