CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
AI Score
Confidence
High
EPSS
Percentile
30.0%
When an invalid public key is used to create an x509 certificate using the
crypto.X509Certificate() API a non-expect termination occurs making it
susceptible to DoS attacks when the attacker could force interruptions of
application processing, as the process terminates when accessing public key
info of provided certificates from user code. The current context of the
users will be gone, and that will cause a DoS scenario. This vulnerability
affects all active Node.js versions v16, v18, and, v20.
launchpad.net/bugs/cve/CVE-2023-30588
nodejs.org/en/blog/vulnerability/june-2023-security-releases#process-interuption-due-to-invalid-public-key-information-in-x509-certificates-medium-cve-2023-30588
nvd.nist.gov/vuln/detail/CVE-2023-30588
security-tracker.debian.org/tracker/CVE-2023-30588
ubuntu.com/security/notices/USN-6735-1
www.cve.org/CVERecord?id=CVE-2023-30588
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
AI Score
Confidence
High
EPSS
Percentile
30.0%