#VU77606 Inconsistency between implementation and documented design in Node.js - CVE-2023-30590
Vulnerability identifier: #VU77606
Vulnerability risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-1068
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Node.js
Server applications /
Web servers
Vendor: Node.js Foundation
Description
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to inconsistency between implementation and documented design within the generateKeys() API function. The documented behavior is different from the actual behavior, and this difference could lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Node.js: 16.0.0, 16.1.0 - 16.19.1, 16.2.0 - 16.20.0, 16.3.0, 16.4.0 - 16.4.2, 16.5.0, 16.6.0 - 16.6.2, 16.7.0, 16.8.0, 16.9.0 - 16.9.1, 17.0.0 - 17.0.1, 17.1.0, 17.2.0, 17.3.0 - 17.3.1, 17.4.0, 17.5.0, 17.6.0, 17.7.0 - 17.7.2, 17.8.0, 17.9.0 - 17.9.1, 18.0.0, 18.1.0 - 18.16.0, 18.2.0, 18.3.0, 18.4.0, 18.5.0, 18.6.0, 18.7.0, 18.8.0, 18.9.0, 18.9.1, 19.0.0, 19.0.1, 19.1.0, 19.2.0, 19.3.0, 19.4.0, 19.5.0, 19.6.0, 19.6.1, 19.7.0, 19.8.0, 19.8.1, 19.9.0, 20.0.0, 20.1.0, 20.2.0, 20.3.0
External links
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
