CVE-2023-23919
First published: Thu Feb 16 2023(Updated: )
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs | <18-9020020230327152102.rhel9 | 18-9020020230327152102.rhel9 |
| Nodejs Node.js | >=14.0.0<=14.14.0 | |
| Nodejs Node.js | >=14.0.0<14.21.3 | |
| Nodejs Node.js | >=16.0.0<=16.12.0 | |
| Nodejs Node.js | >=16.0.0<16.19.1 | |
| Nodejs Node.js | >=18.0.0<=18.11.0 | |
| Nodejs Node.js | >=18.0.0<18.14.1 | |
| Nodejs Node.js | >=19.0.0<19.2.0 | |
| IBM Cognos Dashboards on Cloud Pak for Data | <=4.7.0 | |
| redhat/Node.js | <19.2.0 | 19.2.0 |
| redhat/Node.js | <18.14.1 | 18.14.1 |
| redhat/Node.js | <16.19.1 | 16.19.1 |
| ubuntu/nodejs | <18.13.0+dfsg1-1ubuntu2.1 | 18.13.0+dfsg1-1ubuntu2.1 |
| debian/nodejs | <=18.13.0+dfsg1-1 | 10.24.0~dfsg-1~deb10u1 10.24.0~dfsg-1~deb10u4 12.22.12~dfsg-1~deb11u4 18.19.0+dfsg-6~deb12u1 18.20.1+dfsg-4 20.13.1+dfsg-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2023-23919 https://nvd.nist.gov/vuln/detail/CVE-2023-23919
- https://bugzilla.redhat.com/show_bug.cgi?id=2172170
- https://access.redhat.com/errata/RHSA-2023:1582
- https://access.redhat.com/errata/RHSA-2023:1583
- https://access.redhat.com/errata/RHSA-2023:2654
- https://access.redhat.com/security/cve/cve-2023-23919
- https://hackerone.com/reports/1808596
- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/
- https://security.netapp.com/advisory/ntap-20230316-0008/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/247697
- https://www.ibm.com/support/pages/node/7031207 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172173
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172174
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172171
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172172
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172176
- https://launchpad.net/bugs/cve/CVE-2023-23919
- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-openssl-error-handling-issues-in-nodejs-crypto-library-medium-cve-2023-23919
- https://github.com/nodejs/node/commit/438812e14d3b2a705fb639b69e37c6cc4e7c8029
- https://security-tracker.debian.org/tracker/CVE-2023-23919
- https://ubuntu.com/security/notices/USN-6672-1
- https://www.cve.org/CVERecord?id=CVE-2023-23919
- https://nvd.nist.gov/vuln/detail/CVE-2023-23919
- https://ubuntu.com/security/CVE-2023-23919
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2023-23919?
CVE-2023-23919 is a cryptographic vulnerability in Node.js versions <19.2.0, <18.14.1, <16.19.1, <14.21.3 that may lead to false positive errors during subsequent cryptographic operations.
How does CVE-2023-23919 affect Node.js?
CVE-2023-23919 affects Node.js versions <19.2.0, <18.14.1, <16.19.1, <14.21.3.
What is the severity of CVE-2023-23919?
CVE-2023-23919 has a severity rating of 7.5 (high).
Which versions of Node.js are affected by CVE-2023-23919?
Node.js versions <19.2.0, <18.14.1, <16.19.1, and <14.21.3 are affected by CVE-2023-23919.
How can I fix CVE-2023-23919?
To fix CVE-2023-23919, update Node.js to version 19.2.0 or later, version 18.14.1 or later, version 16.19.1 or later, or version 14.21.3 or later.
- collector/redhat-cve
- collector/nvd-index
- collector/ibm-support
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-23919
- agent/software-canonical-lookup
- agent/references
- agent/description
- collector/launchpad-cve
- source/Launchpad
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/14.0.0
- version/nodejs node.js/14.14.0
- version/nodejs node.js/16.0.0
- version/nodejs node.js/16.12.0
- version/nodejs node.js/18.0.0
- version/nodejs node.js/18.11.0
- version/nodejs node.js/19.0.0
- vendor/ibm
- canonical/ibm cognos dashboards on cloud pak for data
- version/ibm cognos dashboards on cloud pak for data/4.7.0
- package-manager/debian
- package-manager/ubuntu