CVE-2023-46809

Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.
Configurations

No configuration.

History

09 Sep 2024, 18:35

Type Values Removed Values Added
CWE CWE-385
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.4

09 Sep 2024, 13:03

Type Values Removed Values Added
Summary
  • (es) Las versiones de Node.js que incluyen una versión sin parches de OpenSSL o se ejecutan contra una versión vinculada dinámicamente de OpenSSL que no tiene parches son vulnerables al ataque Marvin - https://people.redhat.com/~hkario/marvin/, si se permite el relleno PCKS #1 v1.5 al realizar el descifrado RSA usando una clave privada.

07 Sep 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-07 16:15

Updated : 2024-09-09 18:35


NVD link : CVE-2023-46809

Mitre link : CVE-2023-46809

CVE.ORG link : CVE-2023-46809


JSON object : View

Products Affected

No product.

CWE
CWE-385

Covert Timing Channel