CVE-2023-23919

Description

A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.

How to fix CVE-2023-23919

To remediate CVE-2023-23919, upgrade the affected package to a fixed version below.

• —upgrade to 16.19.1-r0 or later
• —upgrade to 14.21.3 or later
• —upgrade to 14.21.3 or later
• —upgrade to 18.19.0+dfsg-6~deb12u1 or later

Is CVE-2023-23919 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 16.19.1-r0
• >= 14.0.0, < 14.21.3, >= 16.0.0, < 16.19.1, >= 18.0.0, < 18.14.1, >= 19.0.0, < 19.2.0
• >= 14.0.0, < 14.21.3, >= 16.0.0, < 16.19.1, >= 18.0.0, < 18.14.1, >= 19.0.0, < 19.2.0
• from 0, < 18.19.0+dfsg-6~deb12u1

CVSS scores

References (6)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2023-23919
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-23919
• WEBhackerone.com/reports/1808596
• WEBnodejs.org/en/blog/vulnerability/february-2023-security-releases/
• WEB