CVE-2023-30590
Public on 2023-06-23
Modified on 2024-02-02
Description
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet.
However, the documentation says this API call: "Generates private and public Diffie-Hellman key values".
The documented behavior is different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security.
Please note that this is a documentation change an the vulnerability has been classified under CWE-1068 - Inconsistency Between Implementation and Documented Design. This change applies to all Node.js active versions: v16, v18, and, v20.
However, the documentation says this API call: "Generates private and public Diffie-Hellman key values".
The documented behavior is different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security.
Please note that this is a documentation change an the vulnerability has been classified under CWE-1068 - Inconsistency Between Implementation and Documented Design. This change applies to all Node.js active versions: v16, v18, and, v20.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2023 | nodejs | 2023-07-05 | ALAS2023-2023-237 | Fixed |
| Amazon Linux 2 - Core | nodejs-packaging | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.5 | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| NVD | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |