CVE-2022-35255

Name
CVE-2022-35255
Description
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://hackerone.com/reports/1690000
Third Party Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
Third Party Advisory https://security.netapp.com/advisory/ntap-20230113-0002/
Third Party Advisory https://www.debian.org/security/2023/dsa-5326

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 16.0.0 <= 16.12.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* nodejs >= 16.13.0 < 16.17.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 18.0.0 < 18.9.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 15.0.0 <= 15.14.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nodejs-current 3.16-community 18.9.1-r0 Jose-Luis Rivas <ghostbar@riseup.net> fixed