Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2023-46234

Published: 26/10/2023 Updated: 28/02/2024
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Browserify

Vulnerability Summary

browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an malicious user to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.

Vulnerable Product Search on Vulmon Subscribe to Product

browserify browserify-sign

debian debian linux 11.0

debian debian linux 12.0

Vendor Advisories

Debian CVElist Bug Report Logs: node-browserify-sign: CVE-2023-46234
Debian Bug report logs - #1054667 node-browserify-sign: CVE-2023-46234 Package: src:node-browserify-sign; Maintainer for src:node-browserify-sign is Debian Javascript Maintainers <pkg-javascript-devel@listsaliothdebianorg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Fri, 27 Oct 2023 16:24:02 UTC Severi ...
Debian Security Advisories: DSA-5539-1 node-browserify-sign -- security update
It was reported that incorrect bound checks in the dsaVerify function in node-browserify-sign, a Nodejs library which adds crypto signing for browsers, allows an attacker to perform signature forgery attacks by constructing signatures that can be successfully verified by any public key For the oldstable distribution (bullseye), this problem has b ...

References

CWE-347https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhwhttps://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30https://lists.debian.org/debian-lts-announce/2023/10/msg00040.htmlhttps://www.debian.org/security/2023/dsa-5539https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054667https://www.debian.org/security/2023/dsa-5539https://nvd.nist.gov
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
IMAPCVE-2024-4367server-side request forgeryinformation disclosureCVE-2024-34342CVE-2024-4281CVE-2024-3507CVE-2024-25560CVE-2024-34574
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook