CVE-2023-46809
HIGH7.4EPSS 1.2%nodejs - security update
Published: 9/7/2024Modified: 4/28/2026
Description
Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.
Affected packages (4)
- Bitnami/nodefrom 0, < 18.19.1, >= 19.0.0, < 20.11.1, >= 21.0.0, < 21.6.1
- Bitnami/node-minfrom 0, < 18.19.1, >= 19.0.0, < 20.11.1, >= 21.0.0, < 21.6.1
- Debian/nodejsfrom 0, < 12.22.12~dfsg-1~deb11u5
- Debian/nodejsfrom 0, < 18.20.4+dfsg-1~deb12u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
References (5)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-46809
- WEBhttps://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
- WEBhttps://lists.debian.org/debian-lts-announce/2024/09/msg00029.html
- WEBhttps://nodejs.org/en/blog/vulnerability/february-2024-security-releases
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2023-46809