BIT-node-2022-35255

Import Source

https://github.com/bitnami/vulndb/tree/main/data/node/BIT-node-2022-35255.json

Aliases

CVE-2022-35255

Published

2024-03-06T11:03:16.007Z

Modified

2024-03-06T11:25:28.861Z

Details

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://hackerone.com/reports/1690000
https://security.netapp.com/advisory/ntap-20230113-0002/
https://www.debian.org/security/2023/dsa-5326

Affected packages

Bitnami / node

Package

Name: node

Affected ranges

Type: SEMVER
Events: Introduced

15.0.0

Fixed

15.14.0

Introduced

16.0.0

Fixed

16.12.0

Introduced

16.13.0

Fixed

16.17.1

Introduced

18.0.0

Fixed

18.9.1