CVE-2022-35255: A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in…

critical9.1CVSS 3.1

AVNACLPRNUINSUCHIHAN

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

Affected

25 ranges

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	nodejs	< nodejs 18.10.0+dfsg-1 (bookworm)	nodejs 18.10.0+dfsg-1 (bookworm)
nodejs	node	>= 10.0 < 10.*	10.*
nodejs	node	>= 11.0 < 11.*	11.*
nodejs	node	>= 12.0 < 12.*	12.*
nodejs	node	>= 13.0 < 13.*	13.*
nodejs	node	>= 15.0 < 15.*	15.*
nodejs	node	>= 17.0 < 17.*	17.*
nodejs	node	>= 18.0 < 18.9.1	18.9.1
nodejs	node	>= 4.0 < 4.*	4.*
nodejs	node	>= 5.0 < 5.*	5.*
nodejs	node	>= 6.0 < 6.*	6.*
nodejs	node	>= 7.0 < 7.*	7.*
nodejs	node	>= 8.0 < 8.*	8.*
nodejs	node	>= 9.0 < 9.*	9.*
nodejs	node.js	15.0.0 – 15.14.0	—
nodejs	node.js	16.0.0 – 16.12.0	—
nodejs	node.js	>= 16.13.0 < 16.17.1	16.17.1
nodejs	node.js	>= 18.0.0 < 18.9.1	18.9.1
nodejs	nodejs	>= 0 < 12.22.12~dfsg-1~deb11u3	12.22.12~dfsg-1~deb11u3
nodejs	nodejs	>= 0 < 18.10.0+dfsg-1	18.10.0+dfsg-1
nodejs	nodejs	>= 0 < 18.10.0+dfsg-1	18.10.0+dfsg-1
nodejs	nodejs	>= 0 < 18.10.0+dfsg-1	18.10.0+dfsg-1
siemens	sinec_ins	< 1.0	1.0
siemens	sinec_ins	—	—

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

osv9.1CRITICAL