First published: Wed Jul 05 2023(Updated: )
Node.js could provide weaker than expected security, caused by the failure to generate keys after setting a private key by the generateKeys() API function. By sending a specially crafted request, an attacker could exploit this vulnerability to launch further attacks on the system.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
IBM Planning Analytics | <=2.0 | |
Nodejs Node.js | >=16.0.0<16.20.1 | |
Nodejs Node.js | >=18.0.0<18.16.1 | |
Nodejs Node.js | >=20.0.0<20.3.1 | |
ubuntu/nodejs | <8.10.0~dfsg-2ubuntu0.4+ | 8.10.0~dfsg-2ubuntu0.4+ |
ubuntu/nodejs | <10.19.0~dfsg-3ubuntu1.6 | 10.19.0~dfsg-3ubuntu1.6 |
ubuntu/nodejs | <12.22.9~dfsg-1ubuntu3.5 | 12.22.9~dfsg-1ubuntu3.5 |
ubuntu/nodejs | <18.13.0+dfsg1-1ubuntu2.2 | 18.13.0+dfsg1-1ubuntu2.2 |
ubuntu/nodejs | <0.10.25~dfsg2-2ubuntu1.2+ | 0.10.25~dfsg2-2ubuntu1.2+ |
ubuntu/nodejs | <4.2.6~dfsg-1ubuntu4.2+ | 4.2.6~dfsg-1ubuntu4.2+ |
debian/nodejs | <=10.24.0~dfsg-1~deb10u1<=12.22.12~dfsg-1~deb11u4<=18.13.0+dfsg1-1 | 10.24.0~dfsg-1~deb10u4 18.19.0+dfsg-6~deb12u1 18.20.1+dfsg-4 20.13.1+dfsg-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-30590 is a vulnerability that affects the generateKeys() API function returned from crypto.createDiffieHellman() in Node.js.
CVE-2023-30590 allows an attacker to generate missing or outdated keys in Node.js, potentially compromising the security of cryptographic operations.
CVE-2023-30590 has a severity rating of high, with a score of 7.5.
CVE-2023-30590 affects Node.js versions 16.0.0 to 16.20.1, 18.0.0 to 18.16.1, and 20.0.0 to 20.3.1.
To fix CVE-2023-30590, update your Node.js installation to a version that includes the security patch provided by the Node.js team.