Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:44452
HistoryNov 29, 2023 - 5:49 a.m.

Inconsistency Between Implementation And Documented Design

2023-11-2905:49:28
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
34
inconsistency
implementation
documented
design
nodejs
vulnerable
diffie-hellman
api
keys
exploit
security
breaches
applications
key generation
documentation

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.6

Confidence

Low

EPSS

0.001

Percentile

31.0%

nodejs is vulnerable to Inconsistency Between Implementation and Documented Design. The vulnerability is due to generateKeys API function returned from crypto.createDiffieHellman only generates missing (or outdated) keys.This discrepancy between the documented and actual behavior of the API allows an attacker to exploit the inconsistency, potentially leading to security breaches in applications that use the Diffie-Hellman method for key generation and expect both private and public keys to be generated as per the documentation.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.6

Confidence

Low

EPSS

0.001

Percentile

31.0%