Vulnerability Description
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nodejs | Node.Js | >= 15.0.0, <= 15.14.0 |
| Siemens | Sinec Ins | < 1.0 |
| Debian | Debian Linux | 11.0 |
Related Weaknesses (CWE)
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfThird Party Advisory
- https://hackerone.com/reports/1690000ExploitIssue TrackingThird Party Advisory
- https://security.netapp.com/advisory/ntap-20230113-0002/Third Party Advisory
- https://www.debian.org/security/2023/dsa-5326Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfThird Party Advisory
- https://hackerone.com/reports/1690000ExploitIssue TrackingThird Party Advisory
- https://security.netapp.com/advisory/ntap-20230113-0002/Third Party Advisory
- https://www.debian.org/security/2023/dsa-5326Third Party Advisory
FAQ
What is CVE-2022-35255?
CVE-2022-35255 is a vulnerability with a CVSS score of 9.1 (CRITICAL). A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems w...
How severe is CVE-2022-35255?
CVE-2022-35255 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-35255?
Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Siemens Sinec Ins, Debian Debian Linux.