Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-35255

Опубликовано: 23 сент. 2022
Источник: redhat
CVSS3: 8.2

Описание

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information.

Отчет

The vulnerability was introduced in NodeJS v15.0.0, Hence, NodeJS:14 package in RHEL-8 and RHSCL-3 are not affected.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 8nodejs:14/nodejsNot affected
Red Hat Enterprise Linux 9nodejs:18/nodejsNot affected
Red Hat Software Collectionsrh-nodejs14-nodejsNot affected
Red Hat Enterprise Linux 8nodejsFixedRHSA-2022:696417.10.2022
Red Hat Enterprise Linux 8nodejsFixedRHSA-2022:782108.11.2022
Red Hat Enterprise Linux 9nodejsFixedRHSA-2022:696318.10.2022

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-338
https://bugzilla.redhat.com/show_bug.cgi?id=2130517nodejs: weak randomness in WebCrypto keygen

8.2 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-35255

CVSS3: 9.1
ubuntu
больше 2 лет назад

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

nvd логотип

CVE-2022-35255

CVSS3: 9.1
nvd
больше 2 лет назад

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

debian логотип

CVE-2022-35255

CVSS3: 9.1
debian
больше 2 лет назад

A weak randomness in WebCrypto keygen vulnerability exists in Node.js ...

github логотип

GHSA-p36x-w6hr-88jp

CVSS3: 9.1
github
больше 2 лет назад

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

rocky логотип

RLSA-2022:7821

rocky
больше 2 лет назад

Important: nodejs:18 security update

8.2 High

CVSS3