CVE-2023-30588

8 documents7 sources
Severity
5.3MEDIUM
EPSS
0.0%
top 91.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nodejs NodeNodejs Node.js
Timeline
PublishedNov 28
Latest updateApr 16

Description

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

CVEListV5nodejs/node4.04.*+16
NVDnodejs/node.js16.0.016.20.1+2
Debiannodejs< 18.19.0+dfsg-6~deb12u1+2
Ubuntunodejs< 10.19.0~dfsg-3ubuntu1.6+4

🔴Vulnerability Details

4
OSV
nodejs vulnerabilities2024-04-16
CVEList
CVE-2023-30588: When an invalid public key is used to create an x509 certificate using the crypto2023-11-28
OSV
CVE-2023-30588: When an invalid public key is used to create an x509 certificate using the crypto2023-11-28
GHSA
GHSA-g526-x7vj-cfv6: When an invalid public key is used to create an x509 certificate using the crypto2023-11-28

📋Vendor Advisories

3
Ubuntu
Node.js vulnerabilities2024-04-16
Red Hat
nodejs: process interuption due to invalid Public Key information in x509 certificates2023-06-20
Debian
CVE-2023-30588: nodejs - When an invalid public key is used to create an x509 certificate using the crypt...2023
CVE-2023-30588 (MEDIUM CVSS 5.3) | When an invalid public key is used | cvebase.io