CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
27.6%
browserify-sign is a package to duplicate the functionality of node’s
crypto public key functions, much of this is based on Fedor Indutny’s work
on indutny/tls.js. An upper bound check issue in dsaVerify
function
allows an attacker to construct signatures that can be successfully
verified by any public key, thus leading to a signature forgery attack. All
places in this project that involve DSA verification of user-input
signatures will be affected by this vulnerability. This issue has been
patched in version 4.2.2.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | node-browserify-sign | < 4.0.4-2ubuntu0.18.04.1~esm1 | UNKNOWN |
ubuntu | 20.04 | noarch | node-browserify-sign | < 4.0.4-2ubuntu0.20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | node-browserify-sign | < 4.2.1-2ubuntu0.1 | UNKNOWN |
ubuntu | 23.10 | noarch | node-browserify-sign | < 4.2.1-3ubuntu0.1 | UNKNOWN |
github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30
github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
launchpad.net/bugs/cve/CVE-2023-46234
nvd.nist.gov/vuln/detail/CVE-2023-46234
security-tracker.debian.org/tracker/CVE-2023-46234
ubuntu.com/security/notices/USN-6800-1
www.cve.org/CVERecord?id=CVE-2023-46234