Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2022-35255

Опубликовано: 05 дек. 2022
Источник: nvd
CVSS3: 9.1
EPSS Низкий

Описание

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Версия от 15.0.0 (включая) до 15.14.0 (включая)
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Версия от 16.0.0 (включая) до 16.12.0 (включая)
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Версия от 16.13.0 (включая) до 16.17.1 (исключая)
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Версия от 18.0.0 (включая) до 18.9.1 (исключая)
Конфигурация 2

Одно из

cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*
Версия до 1.0 (исключая)
cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:*
Конфигурация 3
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

EPSS

Процентиль: 79%
0.01374
Низкий

9.1 Critical

CVSS3

Дефекты

CWE-338
CWE-338

Связанные уязвимости

ubuntu логотип

CVE-2022-35255

CVSS3: 9.1
ubuntu
больше 2 лет назад

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

redhat логотип

CVE-2022-35255

CVSS3: 8.2
redhat
больше 2 лет назад

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

debian логотип

CVE-2022-35255

CVSS3: 9.1
debian
больше 2 лет назад

A weak randomness in WebCrypto keygen vulnerability exists in Node.js ...

github логотип

GHSA-p36x-w6hr-88jp

CVSS3: 9.1
github
больше 2 лет назад

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

rocky логотип

RLSA-2022:7821

rocky
больше 2 лет назад

Important: nodejs:18 security update

EPSS

Процентиль: 79%
0.01374
Низкий

9.1 Critical

CVSS3

Дефекты

CWE-338
CWE-338