CVE-2023-46234 — Improper Verification of Cryptographic Signature in Browserify-sign
Severity
7.5HIGHNVD
EPSS
0.5%
top 32.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedOct 26
Latest updateNov 19
Description
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been pat…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages6 packages
Also affects: Debian Linux 11.0, 12.0
🔴Vulnerability Details
3OSV▶
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack↗2023-10-26
OSV▶
CVE-2023-46234: browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on in↗2023-10-26
GHSA▶
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack↗2023-10-26
📋Vendor Advisories
5Atlassian▶
CVE-2023-46234: BASM (Broken Authentication & Session Management) browserify-sign Dependency in Confluence Data Center↗2024-11-19
Red Hat▶
browserify-sign: upper bound check issue in dsaVerify leads to a signature forgery attack↗2023-10-26
Microsoft▶
browserify-sign vulnerable via an upper bound check issue in `dsaVerify` that leads to a signature forgery attack↗2023-10-10
Debian▶
CVE-2023-46234: node-browserify-sign - browserify-sign is a package to duplicate the functionality of node's crypto pub...↗2023