CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
31.0%
The generateKeys() API function returned from crypto.createDiffieHellman()
only generates missing (or outdated) keys, that is, it only generates a
private key if none has been set yet, but the function is also needed to
compute the corresponding public key after calling setPrivateKey().
However, the documentation says this API call: “Generates private and
public Diffie-Hellman key values”. The documented behavior is very
different from the actual behavior, and this difference could easily lead
to security issues in applications that use these APIs as the DiffieHellman
may be used as the basis for application-level security, implications are
consequently broad.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | nodejs | < 8.10.0~dfsg-2ubuntu0.4+esm5 | UNKNOWN |
ubuntu | 20.04 | noarch | nodejs | < 10.19.0~dfsg-3ubuntu1.6 | UNKNOWN |
ubuntu | 22.04 | noarch | nodejs | < 12.22.9~dfsg-1ubuntu3.5 | UNKNOWN |
ubuntu | 23.10 | noarch | nodejs | < 18.13.0+dfsg1-1ubuntu2.2 | UNKNOWN |
ubuntu | 14.04 | noarch | nodejs | < 0.10.25~dfsg2-2ubuntu1.2+esm2 | UNKNOWN |
ubuntu | 16.04 | noarch | nodejs | < 4.2.6~dfsg-1ubuntu4.2+esm3 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2023-30590
nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590
nvd.nist.gov/vuln/detail/CVE-2023-30590
security-tracker.debian.org/tracker/CVE-2023-30590
ubuntu.com/security/notices/USN-6735-1
www.cve.org/CVERecord?id=CVE-2023-30590
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
31.0%