Important: nodejs:16 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 16. Security Fixes: nodejs: weak randomness in WebCrypto keygen CVE-2022-35255 nodej...

RHEL 8 : nodejs:16 (RHSA-2022:6964)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6964 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

ALSA-2022:6964 Important: nodejs:16 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 16. Security Fixes: nodejs: weak randomness in WebCrypto keygen CVE-2022-35255 nodej...

SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2022:3524-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3524-1 advisory. - The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly parse and validate...

CVE-2022-35255

A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. Node.js made calls to EntropySource in SecretKeyGenTraits::DoKeyGen. However, it does not check the return value and assumes the EntropySource...

PT-2022-22662 · Node.Js +6 · Node.Js +6

Name of the Vulnerable Software and Affected Versions: Node.js version 18 Description: A weak randomness issue exists in the WebCrypto keygen due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/crypto keygen.cc. There are two main problems: 1. The return value of...

Node.js: Weak randomness in WebCrypto keygen

https://github.com/nodejs/node/pull/35093 introduced a call to EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1. It does not check the return value, it assumes EntropySource always succeeds, but it can and sometimes will fail. 2. The...

The Curious Case of WebCrypto Diffie-Hellman on Firefox - Small Subgroups Key Recovery Attack on DH

tl;dr Mozilla Firefox prior to version 72 suffers from Small Subgroups Key Recovery Attack on DH in the WebCrypto 's API. The Firefox's team fixed the issue removing completely support for DH over finite fields that is not in the WebCrypto standard. If you find this interesting read further below...

Apple Safari WebCrypto Race Condition Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of...

Microsoft Internet Explorer WebCrypto importKey Use-After-Free Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists...

The vulnerability of the DoCrypt function in the WebCrypto interface of the Mozilla Firefox browser allows a perpetrator to execute arbitrary code or cause a service failure.

The vulnerability of the DoCrypt function in the WebCrypto interface of the Mozilla Firefox browser is caused by a numerical overflow. Exploiting this vulnerability allows a malicious actor to execute arbitrary code or cause a service failure remotely...

CVE-2018-5122

A potential integer overflow in the "DoCrypt" function of WebCrypto was identified. If a means was found of exploiting it, it could result in an out-of-bounds write. This vulnerability affects Firefox 58...

CVE-2018-5122

A potential integer overflow in the "DoCrypt" function of WebCrypto was identified. If a means was found of exploiting it, it could result in an out-of-bounds write. This vulnerability affects Firefox 58...

CVE-2017-7822

The AES-GCM implementation in WebCrypto API accepts 0-length IV when it should require a length of 1 according to the NIST Special Publication 800-38D specification. This might allow for the authentication key to be determined in some instances. This vulnerability affects Firefox 56...

CVE-2017-7822

The AES-GCM implementation in WebCrypto API accepts 0-length IV when it should require a length of 1 according to the NIST Special Publication 800-38D specification. This might allow for the authentication key to be determined in some instances. This vulnerability affects Firefox 56...

Authentication flaw

The AES-GCM implementation in WebCrypto API accepts 0-length IV when it should require a length of 1 according to the NIST Special Publication 800-38D specification. This might allow for the authentication key to be determined in some instances. This vulnerability affects Firefox 56...

Integer overflow

A potential integer overflow in the "DoCrypt" function of WebCrypto was identified. If a means was found of exploiting it, it could result in an out-of-bounds write. This vulnerability affects Firefox 58...

CVE-2017-7822

The AES-GCM implementation in WebCrypto API accepts 0-length IV when it should require a length of 1 according to the NIST Special Publication 800-38D specification. This might allow for the authentication key to be determined in some instances. This vulnerability affects Firefox 56...

CVE-2018-5122

A potential integer overflow in the "DoCrypt" function of WebCrypto was identified. If a means was found of exploiting it, it could result in an out-of-bounds write. This vulnerability affects Firefox 58...

CVE-2017-7822

CVE-2017-7822 : The AES-GCM implementation in WebCrypto API accepts a 0-length IV, contrary to NIST SP 800-38D’s 1-byte minimum, potentially enabling leakage of the authentication key in some cases. Affected software is Firefox