CVE-2023-30590
Publication date 28 November 2023
Last updated 24 July 2024
Ubuntu priority
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| nodejs | 24.04 LTS noble |
Not affected
|
| 22.04 LTS jammy |
Fixed 12.22.9~dfsg-1ubuntu3.5
|
|
| 20.04 LTS focal |
Fixed 10.19.0~dfsg-3ubuntu1.6
|
|
| 18.04 LTS bionic |
Fixed 8.10.0~dfsg-2ubuntu0.4+esm5
|
|
| 16.04 LTS xenial |
Fixed 4.2.6~dfsg-1ubuntu4.2+esm3
|
|
| 14.04 LTS trusty |
Fixed 0.10.25~dfsg2-2ubuntu1.2+esm2
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-6735-1
- Node.js vulnerabilities
- 16 April 2024