CVE-2022-35255

CWE-3387 documents7 sources
Severity
9.1CRITICAL
EPSS
1.2%
top 21.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Nodejs NodeNodejs Node.jsSiemens Sinec INS+1 more
Timeline
PublishedDec 5
Latest updateApr 9

Description

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages4 packages

CVEListV5nodejs/node4.04.*+12
NVDnodejs/node.js16.13.016.17.1+3
Debiannodejs< 12.22.12~dfsg-1~deb11u3+3
NVDsiemens/sinec_ins< 1.0+1

Also affects: Debian Linux 11.0

🔴Vulnerability Details

3
GHSA
GHSA-p36x-w6hr-88jp: A weak randomness in WebCrypto keygen vulnerability exists in Node2022-12-06
CVEList
CVE-2022-35255: A weak randomness in WebCrypto keygen vulnerability exists in Node2022-12-05
OSV
CVE-2022-35255: A weak randomness in WebCrypto keygen vulnerability exists in Node2022-12-05

📋Vendor Advisories

2
Red Hat
nodejs: weak randomness in WebCrypto keygen2022-09-23
Debian
CVE-2022-35255: nodejs - A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to ...2022

💬Community

1
HackerOne
Use of Cryptographically Weak Pseudo-Random Number Generator in WebCrypto keygen2023-04-09
CVE-2022-35255 (CRITICAL CVSS 9.1) | A weak randomness in WebCrypto keyg | cvebase.io