Home > Vulnerability Database > CVE-2023-46809

Mend.io Vulnerability Database

CVE-2023-46809

Good to know:

Date: October 26, 2023

A vulnerability in Node.js the privateDecrypt() API of the crypto library, allowed a covert timing side-channel during PKCS#1 v1.5 padding error handling. The vulnerability revealed significant timing differences in decryption for valid and invalid ciphertexts. This poses a serious threat as attackers could remotely exploit the vulnerability to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing Json Web Encryption messages. This vulnerability affects all users in all active release lines: 18.x, 20.x, and 21.x.

Language: C++

Severity Score

9.8

Related Resources (5)

Url: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases

Url: https://security-tracker.debian.org/tracker/CVE-2023-46809

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-46809

Url: https://github.com/nodejs/node/commit/54cd268059626800dbe1e02a88b28d9538cf5587

Url: https://www.mend.io/vulnerability-database/CVE-2023-46809

Severity Score

9.8

Top Fix

Upgrade Version

Upgrade to version v18.19.1,v20.11.1,v21.6.2

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-46809

Good to know:

Date: October 26, 2023

Language: C++

Severity Score

Related Resources (5)

Severity Score

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?