{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-35255", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "dateUpdated": "2024-08-03T09:29:17.447Z", "dateReserved": "2022-07-06T00:00:00", "datePublished": "2022-12-05T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2023-01-25T00:00:00"}, "descriptions": [{"lang": "en", "value": "A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material."}], "affected": [{"vendor": "n/a", "product": "https://github.com/nodejs/node", "versions": [{"version": "Fixed in 16.17.1+,18.9.1+", "status": "affected"}]}], "references": [{"url": "https://hackerone.com/reports/1690000"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"}, {"url": "https://security.netapp.com/advisory/ntap-20230113-0002/"}, {"name": "DSA-5326", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2023/dsa-5326"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)", "cweId": "CWE-338"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:29:17.447Z"}, "title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/1690000", "tags": ["x_transferred"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230113-0002/", "tags": ["x_transferred"]}, {"name": "DSA-5326", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2023/dsa-5326"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "E47572BB-0E1B-4F93-BCE9-45E03CFD65BD", "versionEndIncluding": "15.14.0", "versionStartIncluding": "15.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "1D1D0CEC-62E5-4368-B8F2-1DA5DD0B88FA", "versionEndIncluding": "16.12.0", "versionStartIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "09BD0FC2-5AA1-4A22-8432-A2EEA314FE09", "versionEndExcluding": "16.17.1", "versionStartIncluding": "16.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "DA8C00DD-A6E5-4E3D-8DD4-F4B51F5C208A", "versionEndExcluding": "18.9.1", "versionStartIncluding": "18.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*", "matchCriteriaId": "C89891C1-DFD7-4E1F-80A9-7485D86A15B5", "versionEndExcluding": "1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*", "matchCriteriaId": "4664B195-AF14-4834-82B3-0B2C98020EB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "75BC588E-CDF0-404E-AD61-02093A1DF343", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "A334F7B4-7283-4453-BAED-D2E01B7F8A6E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material."}, {"lang": "es", "value": "Existe una aleatoriedad d\u00e9bil en la vulnerabilidad keygen de WebCrypto en Node.js 18 debido a un cambio con EntropySource() en SecretKeyGenTraits::DoKeyGen() en src/crypto/crypto_keygen.cc. Hay dos problemas con esto: 1) No verifica el valor de retorno, asume que EntropySource() siempre tiene \u00e9xito, pero puede (y a veces fallar\u00e1). 2) Los datos aleatorios devueltos por EntropySource() pueden no ser criptogr\u00e1ficamente s\u00f3lidos y, por lo tanto, no son adecuados como material de claves."}], "id": "CVE-2022-35255", "lastModified": "2023-03-01T15:03:19.287", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-05T22:15:10.513", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"}, {"source": "support@hackerone.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://hackerone.com/reports/1690000"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230113-0002/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5326"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-338"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{"acknowledgement": "Upstream acknowledges Ben Noordhuis as the original reporter.", "affected_release": [{"advisory": "RHSA-2022:6964", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:16-8060020221007164523.ad008a3a", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-10-17T00:00:00Z"}, {"advisory": "RHSA-2022:7821", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:18-8070020221004121421.bd1311ed", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-11-08T00:00:00Z"}, {"advisory": "RHSA-2022:6963", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs-1:16.17.1-1.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-10-18T00:00:00Z"}], "bugzilla": {"description": "nodejs: weak randomness in WebCrypto keygen", "id": "2130517", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130517"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "status": "verified"}, "cwe": "CWE-338", "details": ["A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.", "A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information."], "name": "CVE-2022-35255", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:14/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:18/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs14-nodejs", "product_name": "Red Hat Software Collections"}], "public_date": "2022-09-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-35255\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-35255\nhttps://hackerone.com/bugs?report_id=1690000\nhttps://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255"], "statement": "The vulnerability was introduced in NodeJS v15.0.0, Hence, NodeJS:14 package in RHEL-8 and RHSCL-3 are not affected.", "threat_severity": "Important", "upstream_fix": "Nodejs 16.17.1, Nodejs 18.9.1"}