CVE-2023-46809
HIGH7.4EPSS 1.2%nodejs - security update
發布日:2024/9/7修改日:2026/4/28
描述
Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.
受影響套件(4)
- Bitnami/nodefrom 0, < 18.19.1, >= 19.0.0, < 20.11.1, >= 21.0.0, < 21.6.1
- Bitnami/node-minfrom 0, < 18.19.1, >= 19.0.0, < 20.11.1, >= 21.0.0, < 21.6.1
- Debian/nodejsfrom 0, < 12.22.12~dfsg-1~deb11u5
- Debian/nodejsfrom 0, < 18.20.4+dfsg-1~deb12u1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
參考連結(5)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-46809
- WEBhttps://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
- WEBhttps://lists.debian.org/debian-lts-announce/2024/09/msg00029.html
- WEBhttps://nodejs.org/en/blog/vulnerability/february-2024-security-releases
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2023-46809