VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-8qyb-ne8j-g3bb

Essentials
Severities (26)
References (26)
Severity details (11)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-8qyb-ne8j-g3bb
Aliases	CVE-2022-35255
Summary	A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.
Status	Published
Exploitability	0.5
Weighted Severity	8.2
Risk	4.1
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

System	Score	Found at
cvssv3	8.2	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-35255.json
epss	0.00715	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
epss	0.00715	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
epss	0.00715	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
epss	0.01258	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
epss	0.01258	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
epss	0.01258	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
epss	0.01258	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
epss	0.01258	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
epss	0.01258	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
epss	0.01258	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
epss	0.01258	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
epss	0.01258	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
epss	0.01258	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
epss	0.01258	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
epss	0.01258	https://api.first.org/data/v1/epss?cve=CVE-2022-35255
cvssv3.1	9.1	https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
ssvc	Track	https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
cvssv3.1	8.2	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	9.1	https://hackerone.com/reports/1690000
ssvc	Track	https://hackerone.com/reports/1690000
cvssv3.1	9.1	https://nvd.nist.gov/vuln/detail/CVE-2022-35255
cvssv3.1	9.1	https://security.netapp.com/advisory/ntap-20230113-0002/
ssvc	Track	https://security.netapp.com/advisory/ntap-20230113-0002/
cvssv3.1	9.1	https://www.debian.org/security/2023/dsa-5326
ssvc	Track	https://www.debian.org/security/2023/dsa-5326

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-35255.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-35255
		https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32213
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32214
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32215
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35255
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://www.debian.org/security/2023/dsa-5326
1690000		https://hackerone.com/reports/1690000
2130517		https://bugzilla.redhat.com/show_bug.cgi?id=2130517
cpe:2.3:a:nodejs:node.js:::::-:::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:::::-:::*
cpe:2.3:a:nodejs:node.js:::::lts:::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:::::lts:::*
cpe:2.3:a:siemens:sinec_ins::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:siemens:sinec_ins::::::::
cpe:2.3:a:siemens:sinec_ins:1.0:-::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:siemens:sinec_ins:1.0:-::::::
cpe:2.3:a:siemens:sinec_ins:1.0:sp1::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:siemens:sinec_ins:1.0:sp1::::::
cpe:2.3:a:siemens:sinec_ins:1.0:sp2::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:siemens:sinec_ins:1.0:sp2::::::
cpe:2.3:o:debian:debian_linux:11.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:::::::*
CVE-2022-35255		https://nvd.nist.gov/vuln/detail/CVE-2022-35255
ntap-20230113-0002		https://security.netapp.com/advisory/ntap-20230113-0002/
RHSA-2022:6963		https://access.redhat.com/errata/RHSA-2022:6963
RHSA-2022:6964		https://access.redhat.com/errata/RHSA-2022:6964
RHSA-2022:7821		https://access.redhat.com/errata/RHSA-2022:7821

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-35255.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-24T13:23:49Z/ Found at https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://hackerone.com/reports/1690000

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-24T13:23:49Z/ Found at https://hackerone.com/reports/1690000

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-35255

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://security.netapp.com/advisory/ntap-20230113-0002/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-24T13:23:49Z/ Found at https://security.netapp.com/advisory/ntap-20230113-0002/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.debian.org/security/2023/dsa-5326

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-24T13:23:49Z/ Found at https://www.debian.org/security/2023/dsa-5326

Exploit Prediction Scoring System (EPSS)

Percentile	0.71587
EPSS Score	0.00715
Published At	Aug. 1, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:31:34.066576+00:00	Alpine Linux Importer	Import	https://secdb.alpinelinux.org/v3.18/community.json	37.0.0