CVE-2023-46234

Description

browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.

How to fix CVE-2023-46234

To remediate CVE-2023-46234, upgrade the affected package to a fixed version below.

• —upgrade to 4.2.1-1+deb11u1 or later
• —upgrade to 4.0.4-2+deb10u1 or later
• —upgrade to 4.2.1-1+deb11u1 or later
• —upgrade to 4.2.2 or later

Is CVE-2023-46234 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 4.2.1-1+deb11u1
• from 0, < 4.0.4-2+deb10u1
• from 0, < 4.2.1-1+deb11u1
• >= 2.6.0, < 4.2.2

CVSS scores

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-46234
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-46234
• PATCHgithub.com/browserify/browserify-sign
• WEBgithub.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30