CVE-2023-46809

CWE-385CWE-2086 documents6 sources
Severity
7.4HIGH
EPSS
1.2%
top 20.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Node
Timeline
PublishedSep 7

Description

Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages2 packages

CVEListV5nodejs/node4.04.*+17
Debiannodejs< 12.22.12~dfsg-1~deb11u5+3

🔴Vulnerability Details

3
GHSA
GHSA-xfgw-qcmv-354j: Node2024-09-07
CVEList
CVE-2023-46809: Node2024-09-07
OSV
CVE-2023-46809: Node2024-09-07

📋Vendor Advisories

2
Red Hat
nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)2024-02-16
Debian
CVE-2023-46809: nodejs - Node.js versions which bundle an unpatched version of OpenSSL or run against a d...2023
CVE-2023-46809 (HIGH CVSS 7.4) | Node.js versions which bundle an un | cvebase.io