CVE Vulnerability

CVE-2022-35255

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

9.1 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://hackerone.com/reports/1690000 Exploit Issue Tracking
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://security.netapp.com/advisory/ntap-20230113-0002/
https://www.debian.org/security/2023/dsa-5326
Configurations

Configuration 1

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Information

Published : 2022-12-05 10:15

Updated : 2023-01-26 09:15

NVD link : CVE-2022-35255

Mitre link : CVE-2022-35255

Products Affected
No products.
CWE
CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)