Vulnerability Details : CVE-2023-46809
Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.
Products affected by CVE-2023-46809
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2023-46809
0.47%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 63 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-46809
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.4
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
2.2
|
5.2
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-09-09 |
|
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
N/A
|
N/A
|
RedHat-CVE-2023-46809 | 2024-02-16 |
CWE ids for CVE-2023-46809
-
Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
References for CVE-2023-46809
-
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases
Node.js — Wednesday February 14 2024 Security Releases
Jump to