CVE-2023-23919
First published: Thu Feb 16 2023(Updated: )
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs | <18-9020020230327152102.rhel9 | 18-9020020230327152102.rhel9 |
| Nodejs Node.js | >=14.0.0<=14.14.0 | |
| Nodejs Node.js | >=14.0.0<14.21.3 | |
| Nodejs Node.js | >=16.0.0<=16.12.0 | |
| Nodejs Node.js | >=16.0.0<16.19.1 | |
| Nodejs Node.js | >=18.0.0<=18.11.0 | |
| Nodejs Node.js | >=18.0.0<18.14.1 | |
| Nodejs Node.js | >=19.0.0<19.2.0 | |
| redhat/Node.js | <19.2.0 | 19.2.0 |
| redhat/Node.js | <18.14.1 | 18.14.1 |
| redhat/Node.js | <16.19.1 | 16.19.1 |
| debian/nodejs | 12.22.12~dfsg-1~deb11u4 12.22.12~dfsg-1~deb11u5 18.19.0+dfsg-6~deb12u2 18.19.0+dfsg-6~deb12u1 20.17.0+dfsg-2 | |
| IBM Cloud Pak for Business Automation | <=V22.0.2 - V22.0.2-IF004 | |
| IBM Cloud Pak for Business Automation | <=V21.0.3 - V21.0.3-IF020 | |
| IBM Cloud Pak for Business Automation | <=V22.0.1 - V22.0.1-IF006 and later fixesV21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2023-23919 https://nvd.nist.gov/vuln/detail/CVE-2023-23919
- https://bugzilla.redhat.com/show_bug.cgi?id=2172170
- https://access.redhat.com/errata/RHSA-2023:1582
- https://access.redhat.com/errata/RHSA-2023:1583
- https://access.redhat.com/errata/RHSA-2023:2654
- https://access.redhat.com/security/cve/cve-2023-23919
- https://hackerone.com/reports/1808596
- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/
- https://security.netapp.com/advisory/ntap-20230316-0008/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172173
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172174
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172171
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172172
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172176
- https://launchpad.net/bugs/cve/CVE-2023-23919
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23919
- https://nvd.nist.gov/vuln/detail/CVE-2023-23919
- https://security-tracker.debian.org/tracker/CVE-2023-23919
- https://ubuntu.com/security/CVE-2023-23919
- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-openssl-error-handling-issues-in-nodejs-crypto-library-medium-cve-2023-23919
- https://github.com/nodejs/node/commit/438812e14d3b2a705fb639b69e37c6cc4e7c8029
- https://exchange.xforce.ibmcloud.com/vulnerabilities/247697
- https://www.ibm.com/support/pages/node/6998727 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2023-23919?
CVE-2023-23919 is a cryptographic vulnerability in Node.js versions <19.2.0, <18.14.1, <16.19.1, <14.21.3 that may lead to false positive errors during subsequent cryptographic operations.
How does CVE-2023-23919 affect Node.js?
CVE-2023-23919 affects Node.js versions <19.2.0, <18.14.1, <16.19.1, <14.21.3.
What is the severity of CVE-2023-23919?
CVE-2023-23919 has a severity rating of 7.5 (high).
Which versions of Node.js are affected by CVE-2023-23919?
Node.js versions <19.2.0, <18.14.1, <16.19.1, and <14.21.3 are affected by CVE-2023-23919.
How can I fix CVE-2023-23919?
To fix CVE-2023-23919, update Node.js to version 19.2.0 or later, version 18.14.1 or later, version 16.19.1 or later, or version 14.21.3 or later.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-23919
- agent/software-canonical-lookup
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- source/NVD
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/tags
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/14.0.0
- version/nodejs node.js/14.14.0
- version/nodejs node.js/16.0.0
- version/nodejs node.js/16.12.0
- version/nodejs node.js/18.0.0
- version/nodejs node.js/18.11.0
- version/nodejs node.js/19.0.0
- package-manager/debian
- vendor/ibm
- canonical/ibm cloud pak for business automation
- version/ibm cloud pak for business automation/v22.0.2 - v22.0.2-if004
- version/ibm cloud pak for business automation/v21.0.3 - v21.0.3-if020
- version/ibm cloud pak for business automation/v22.0.1 - v22.0.1-if006 and later fixesv21.0.2 - v21.0.2-if012 and later fixesv21.0.1 - v21.0.1-if007 and later fixesv20.0.1 - v20.0.3 and later fixesv19.0.1 - v19.0.3 and later fixesv18.0.0 - v18.0.2 and later fixes