189 matches found
Debian DSA-5326-1 : nodejs - security update
The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5326 advisory. - A OS Command Injection vulnerability exists in Node.js versions 14.20.0, 16.16.0, 18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed...
CVE-2022-35255
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1 It does not check the return value, it assumes EntropySource always succeeds, but it can a...
ALPINE-CVE-2022-35255
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1 It does not check the return value, it assumes EntropySource always succeeds, but it can a...
Code injection
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1 It does not check the return value, it assumes EntropySource always succeeds, but it can a...
CVE-2022-35255
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1 It does not check the return value, it assumes EntropySource always succeeds, but it can a...
CVE-2022-35255
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1 It does not check the return value, it assumes EntropySource always succeeds, but it can a...
CVE-2022-35255
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1 It does not check the return value, it assumes EntropySource always succeeds, but it can a...
CVE-2022-35255
CVE-2022-35255 describes a weakness in Node.js 18 WebCrypto key generation where EntropySource() is invoked but its return value is not checked, and the data returned may not be cryptographically strong. The underlying issue occurs in SecretKeyGenTraits::DoKeyGen() and can lead to weaker key mate...
unbound security, bug fix, and enhancement update
1.16.2-2 - Require openssl tool for unbound-keygen 2116802 1.16.2-1 - Update to 1.16.2 2087120 1.16.0-3 - Disable ED25519 and ED448 in FIPS mode 2079548 1.16.0-2 - Restart keygen service before every unbound start 2094336 1.16.0-1 - Update to 1.16.0 2087120 1.15.0-1 - Update to 1.15.0 2030608 -...
Rocky Linux 8 : nodejs:16 (RLSA-2022:6964)
The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:6964 advisory. - The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTT...
AlmaLinux 8 : nodejs:18 (ALSA-2022:7821)
The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:7821 advisory. nodejs: weak randomness in WebCrypto keygen CVE-2022-35255 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields CVE-2022-35256 Tenable...
nodejs: weak randomness in WebCrypto keygen
A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. Node.js made calls to EntropySource in SecretKeyGenTraits::DoKeyGen. However, it does not check the return value and assumes the EntropySource...
nodejs: weak randomness in WebCrypto keygen
A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. Node.js made calls to EntropySource in SecretKeyGenTraits::DoKeyGen. However, it does not check the return value and assumes the EntropySource...
Oracle Linux 8 : nodejs:16 (ELSA-2022-6964)
The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-6964 advisory. - Resolves: CVE-2022-35255 CVE-2022-35256 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note...
nodejs: weak randomness in WebCrypto keygen
A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. Node.js made calls to EntropySource in SecretKeyGenTraits::DoKeyGen. However, it does not check the return value and assumes the EntropySource...
RLSA-2022:6964 Important: nodejs:16 security update
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 16. Security Fixes: nodejs: weak randomness in WebCrypto keygen CVE-2022-35255 nodej...
SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2022:3524-1)
The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3524-1 advisory. Updated to version 16.17.1: - CVE-2022-32213: Fixed bypass via obs-fold mechanic bsc1201325. - CVE-2022-32215: Fixed incorrect...
CVE-2022-35255
A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. Node.js made calls to EntropySource in SecretKeyGenTraits::DoKeyGen. However, it does not check the return value and assumes the EntropySource...
PT-2022-22662 · Node.Js +6 · Node.Js +6
Name of the Vulnerable Software and Affected Versions: Node.js version 18 Description: A weak randomness issue exists in the WebCrypto keygen due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/crypto keygen.cc. There are two main problems: 1. The return value of...
Node.js: Weak randomness in WebCrypto keygen
https://github.com/nodejs/node/pull/35093 introduced a call to EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1. It does not check the return value, it assumes EntropySource always succeeds, but it can and sometimes will fail. 2. The...