Main Vulnerability Database Vulnerabilities #VU86724

#VU86724 Covert Timing Channel in Node.js - CVE-2023-46809

Published: February 22, 2024

Vulnerability identifier: #VU86724

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-46809

CWE-ID: CWE-385

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Node.js

Software vendor:
Node.js Foundation

Description

The vulnerability allows a remote attacker to perform Marvin attack.

The vulnerability exists due to a covert timing channel in the privateDecrypt() API of the crypto library. A remote attacker can perform a covert timing side-channel during PKCS#1 v1.5 padding error handling and decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing Json Web Encryption messages.

Remediation

Install updates from vendor's website.

External links

https://nodejs.org/en/blog/vulnerability/february-2024-security-releases

#VU86724 Covert Timing Channel in Node.js - CVE-2023-46809

Description

Remediation

External links

Please verify you're human