The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values".
The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: hackerone
Published: 2023-11-28T19:15:19.447Z
Updated: 2024-08-02T14:28:51.940Z
Reserved: 2023-04-13T01:00:12.086Z
Link: CVE-2023-30590
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-11-28T20:15:07.480
Modified: 2024-11-21T08:00:28.723
Link: CVE-2023-30590
Redhat