First published: Thu Feb 16 2023(Updated: )
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/nodejs | <18-9020020230327152102.rhel9 | 18-9020020230327152102.rhel9 |
Nodejs Node.js | >=14.0.0<=14.14.0 | |
Nodejs Node.js | >=14.0.0<14.21.3 | |
Nodejs Node.js | >=16.0.0<=16.12.0 | |
Nodejs Node.js | >=16.0.0<16.19.1 | |
Nodejs Node.js | >=18.0.0<=18.11.0 | |
Nodejs Node.js | >=18.0.0<18.14.1 | |
Nodejs Node.js | >=19.0.0<19.2.0 | |
IBM Cognos Dashboards on Cloud Pak for Data | <=4.7.0 | |
redhat/Node.js | <19.2.0 | 19.2.0 |
redhat/Node.js | <18.14.1 | 18.14.1 |
redhat/Node.js | <16.19.1 | 16.19.1 |
ubuntu/nodejs | <18.13.0+dfsg1-1ubuntu2.1 | 18.13.0+dfsg1-1ubuntu2.1 |
debian/nodejs | <=18.13.0+dfsg1-1 | 10.24.0~dfsg-1~deb10u1 10.24.0~dfsg-1~deb10u4 12.22.12~dfsg-1~deb11u4 18.19.0+dfsg-6~deb12u1 18.20.1+dfsg-4 20.13.1+dfsg-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2023-23919 is a cryptographic vulnerability in Node.js versions <19.2.0, <18.14.1, <16.19.1, <14.21.3 that may lead to false positive errors during subsequent cryptographic operations.
CVE-2023-23919 affects Node.js versions <19.2.0, <18.14.1, <16.19.1, <14.21.3.
CVE-2023-23919 has a severity rating of 7.5 (high).
Node.js versions <19.2.0, <18.14.1, <16.19.1, and <14.21.3 are affected by CVE-2023-23919.
To fix CVE-2023-23919, update Node.js to version 19.2.0 or later, version 18.14.1 or later, version 16.19.1 or later, or version 14.21.3 or later.