Lucene search

K
cveHackeroneCVE-2023-30588
HistoryNov 28, 2023 - 8:15 p.m.

CVE-2023-30588

2023-11-2820:15:07
hackerone
web.nvd.nist.gov
230
cve-2023-30588
dos
x509 certificate
node.js
vulnerability
nvd

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

6

Confidence

High

EPSS

0.001

Percentile

30.0%

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20.

Affected configurations

Nvd
Vulners
Node
nodejsnode.jsRange16.0.016.20.1
OR
nodejsnode.jsRange18.0.018.16.1
OR
nodejsnode.jsRange20.0.020.3.1

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "vendor": "Node.js",
    "product": "Node.js",
    "versions": [
      {
        "version": "16.20.1",
        "status": "affected",
        "lessThan": "16.20.1",
        "versionType": "semver"
      },
      {
        "version": "18.16.1",
        "status": "affected",
        "lessThan": "18.16.1",
        "versionType": "semver"
      },
      {
        "version": "20.3.1",
        "status": "affected",
        "lessThan": "20.3.1",
        "versionType": "semver"
      }
    ]
  }
]

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

6

Confidence

High

EPSS

0.001

Percentile

30.0%