Details of VAR-202302-1301

ID

VAR-202302-1301

CVE

CVE-2023-25653

TITLE

Cisco Systems Node.js for node-jose Infinite loop vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-004410

DESCRIPTION

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in `node-jose` can trigger a Denial-of-Service (DoS) condition, due to a possible infinite loop in an internal calculation. For some ECC operations, this condition is triggered randomly; for others, it can be triggered by malicious input. The issue has been patched in version 2.2.0. Since this issue is only present in the "fallback" crypto implementation, it can be avoided by ensuring that either WebCrypto or the Node `crypto` module is available in the JS environment where `node-jose` is being run. Cisco Systems Node.js for node-jose Exists in an infinite loop vulnerability.Service operation interruption (DoS) It may be in a state

Trust: 1.8

sources: NVD: CVE-2023-25653 // JVNDB: JVNDB-2023-004410 // VULHUB: VHN-454696 // VULMON: CVE-2023-25653

AFFECTED PRODUCTS

vendor:	cisco	model:	node-jose	scope:	lt	version:	2.2.0	Trust: 1.0
vendor:	シスコシステムズ	model:	node-jose	scope:	eq	version:	2.2.0	Trust: 0.8
vendor:	シスコシステムズ	model:	node-jose	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-004410 // NVD: CVE-2023-25653

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-25653
value:	HIGH
Trust: 1.0
security-advisories@github.com:	CVE-2023-25653
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-25653
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202302-1415
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2023-25653
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 2.0
NVD:	CVE-2023-25653
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-004410 // CNNVD: CNNVD-202302-1415 // NVD: CVE-2023-25653 // NVD: CVE-2023-25653

PROBLEMTYPE DATA

problemtype:	CWE-835	Trust: 1.1
problemtype:	infinite loop (CWE-835) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-454696 // JVNDB: JVNDB-2023-004410 // NVD: CVE-2023-25653

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202302-1415

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202302-1415

PATCH

title:	Merge pull request from GHSA-5h4j-qrvg-9xhw GitHub	url:	https://github.com/cisco/node-jose/commit/901d91508a70e3b9bdfc45688ea07bb4e1b8210d	Trust: 0.8
title:	jose Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=226797	Trust: 0.6

sources: JVNDB: JVNDB-2023-004410 // CNNVD: CNNVD-202302-1415

EXTERNAL IDS

db:	NVD	id:	CVE-2023-25653	Trust: 3.4
db:	JVNDB	id:	JVNDB-2023-004410	Trust: 0.8
db:	CNNVD	id:	CNNVD-202302-1415	Trust: 0.6
db:	VULHUB	id:	VHN-454696	Trust: 0.1
db:	VULMON	id:	CVE-2023-25653	Trust: 0.1

sources: VULHUB: VHN-454696 // VULMON: CVE-2023-25653 // JVNDB: JVNDB-2023-004410 // CNNVD: CNNVD-202302-1415 // NVD: CVE-2023-25653

REFERENCES

url:	https://github.com/cisco/node-jose/commit/901d91508a70e3b9bdfc45688ea07bb4e1b8210d	Trust: 1.8
url:	https://github.com/cisco/node-jose/security/advisories/ghsa-5h4j-qrvg-9xhw	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-25653	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2023-25653/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-454696 // VULMON: CVE-2023-25653 // JVNDB: JVNDB-2023-004410 // CNNVD: CNNVD-202302-1415 // NVD: CVE-2023-25653

SOURCES

db:	VULHUB	id:	VHN-454696
db:	VULMON	id:	CVE-2023-25653
db:	JVNDB	id:	JVNDB-2023-004410
db:	CNNVD	id:	CNNVD-202302-1415
db:	NVD	id:	CVE-2023-25653

LAST UPDATE DATE

2024-08-14T15:00:28.672000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-454696	date:	2023-02-24T00:00:00
db:	VULMON	id:	CVE-2023-25653	date:	2023-02-16T00:00:00
db:	JVNDB	id:	JVNDB-2023-004410	date:	2023-10-30T05:45:00
db:	CNNVD	id:	CNNVD-202302-1415	date:	2023-02-27T00:00:00
db:	NVD	id:	CVE-2023-25653	date:	2023-11-07T04:09:04.830

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-454696	date:	2023-02-16T00:00:00
db:	VULMON	id:	CVE-2023-25653	date:	2023-02-16T00:00:00
db:	JVNDB	id:	JVNDB-2023-004410	date:	2023-10-30T00:00:00
db:	CNNVD	id:	CNNVD-202302-1415	date:	2023-02-16T00:00:00
db:	NVD	id:	CVE-2023-25653	date:	2023-02-16T19:15:14.650