nodejs 安全漏洞 (CVE-2023-30588)

admin

0
文章

0
评论

2023-11-29 17:38:20 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

nodejs 安全漏洞 (CVE-2023-30588)

CVE编号

CVE-2023-30588

利用情况

暂无

补丁情况

N/A

披露时间

2023-11-29

漏洞描述

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	系统	alma_linux_9	nodejs-full-i18n	*		Up to (excluding) 16.20.1-1.el9_2
	运行在以下环境
	系统	amazon_2023	nodejs	*		Up to (excluding) 18.12.1-1.amzn2023.0.7
	运行在以下环境
	系统	anolis_os_8	nodejs-devel	*		Up to (excluding) 18.16.1-1
	运行在以下环境
	系统	debian_10	nodejs	*		Up to (excluding) 10.24.0~dfsg-1~deb10u1
	运行在以下环境
	系统	debian_11	nodejs	*		Up to (including) 12.22.12~dfsg-1~deb11u4
	运行在以下环境
	系统	debian_12	nodejs	*		Up to (including) 18.13.0+dfsg1-1
	运行在以下环境
	系统	debian_sid	nodejs	*		Up to (excluding) 18.13.0+dfsg1-1.1
	运行在以下环境
	系统	fedora_37	nodejs16-npm-8.19.4-1.16.20.1.1.fc37.i686.rpm (	*		Up to (excluding) 18.16.1-1.fc37
	运行在以下环境
	系统	fedora_38	nodejs16-npm-8.19.4-1.16.20.1.1.fc38.x86_64.rpm (	*		Up to (excluding) 18.16.1-1.fc38
	运行在以下环境
	系统	opensuse_Leap_15.4	nodejs16	*		Up to (excluding) 18.16.1-150400.9.9.1
	运行在以下环境
	系统	opensuse_Leap_15.5	nodejs18-docs	*		Up to (excluding) 18.16.1-150400.9.9.1
	运行在以下环境
	系统	oracle_8	nodejs-full-i18n	*		Up to (excluding) 9.5.1-1.18.16.1.1.module+el8.8.0+21140+54ee8b93
	运行在以下环境
	系统	oracle_9	nodejs-full-i18n	*		Up to (excluding) 2021.06-4.module+el9.1.0+20762+f52d7401
	运行在以下环境
	系统	redhat_9	nodejs-libs-debuginfo	*		Up to (excluding) 16.20.1-1.el9_2