CVE-2023-23919

CWE-31010 documents9 sources
Severity
7.5HIGH
EPSS
0.6%
top 31.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nodejs NodeNodejs Node.js
Timeline
PublishedFeb 23
Latest updateMar 4

Description

A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5nodejs/node4.04.*+15
NVDnodejs/node.js14.0.014.21.3+6
Debiannodejs< 18.19.0+dfsg-6~deb12u1+2
Ubuntunodejs< 10.19.0~dfsg-3ubuntu1.5+1

Patches

Patch: nodejs.orgPatch: nodejs.org

🔴Vulnerability Details

4
OSV
nodejs vulnerabilities2024-03-04
GHSA
GHSA-mfq6-mjjx-mp7f: A cryptographic vulnerability exists in Node2023-02-23
CVEList
CVE-2023-23919: A cryptographic vulnerability exists in Node2023-02-23
OSV
CVE-2023-23919: A cryptographic vulnerability exists in Node2023-02-23

📋Vendor Advisories

4
Ubuntu
Node.js vulnerabilities2024-03-04
Red Hat
Node.js: OpenSSL error handling issues in nodejs crypto library2023-02-16
Microsoft
A cryptographic vulnerability exists in Node.js <19.2.0 <18.14.1 <16.19.1 <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to fals2023-02-14
Debian
CVE-2023-23919: nodejs - A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14...2023

💬Community

1
HackerOne
CVE-2023-23919: Multiple OpenSSL error handling issues in nodejs crypto library2023-03-29
CVE-2023-23919 (HIGH CVSS 7.5) | A cryptographic vulnerability exist | cvebase.io