CVE-2023-30588

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nodejs:node.js::::::::
	cpe:2.3:a:nodejs:node.js::::::::
	cpe:2.3:a:nodejs:node.js::::::::

History

04 Dec 2023, 17:40

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
First Time		Nodejs node.js Nodejs
References	~~() https://nodejs.org/en/blog/vulnerability/june-2023-security-releases -~~	() https://nodejs.org/en/blog/vulnerability/june-2023-security-releases - Vendor Advisory
CPE		cpe:2.3:a:nodejs:node.js::::::::
CWE		NVD-CWE-noinfo

28 Nov 2023, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-28 20:15

Updated : 2023-12-10 15:26

NVD link : CVE-2023-30588

Mitre link : CVE-2023-30588

CVE.ORG link : CVE-2023-30588

JSON object : View

Products Affected

nodejs

node.js

CWE

NVD-CWE-noinfo

{"id": "CVE-2023-30588", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-11-28T20:15:07.437", "references": [{"url": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases", "tags": ["Vendor Advisory"], "source": "support@hackerone.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20."}, {"lang": "es", "value": "Cuando se utiliza una clave p\u00fablica no v\u00e1lida para crear x509 certificates utilizando la API crypto.X509Certificate(), se produce una terminaci\u00f3n no esperada que la hace susceptible a ataques DoS cuando el atacante podr\u00eda forzar interrupciones en el procesamiento de la aplicaci\u00f3n, ya que el proceso finaliza al acceder a la informaci\u00f3n de clave p\u00fablica de los certificados proporcionados desde el c\u00f3digo de usuario. El contexto actual de los usuarios desaparecer\u00e1 y eso provocar\u00e1 un escenario DoS. Esta vulnerabilidad afecta a todas las versiones activas de Node.js v16, v18 y v20."}], "lastModified": "2023-12-04T17:40:31.033", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E7F6F9A-AF9F-453B-870D-1E8759567F29", "versionEndExcluding": "16.20.1", "versionStartIncluding": "16.0.0"}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3AA02CEF-5AC5-46F7-94DE-D9EA15678AE7", "versionEndExcluding": "18.16.1", "versionStartIncluding": "18.0.0"}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CAA23E6-4930-4326-9CB0-AEE5013BFD37", "versionEndExcluding": "20.3.1", "versionStartIncluding": "20.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}