CVE-2023-46809

Description

Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.

How to fix CVE-2023-46809

To remediate CVE-2023-46809, upgrade the affected package to a fixed version below.

• —upgrade to 18.19.1 or later
• —upgrade to 18.19.1 or later
• —upgrade to 12.22.12~dfsg-1~deb11u5 or later
• —upgrade to 18.20.4+dfsg-1~deb12u1 or later

Is CVE-2023-46809 being exploited?

Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 18.19.1, >= 19.0.0, < 20.11.1, >= 21.0.0, < 21.6.1
• from 0, < 18.19.1, >= 19.0.0, < 20.11.1, >= 21.0.0, < 21.6.1
• from 0, < 12.22.12~dfsg-1~deb11u5
• from 0, < 18.20.4+dfsg-1~deb12u1

CVSS scores

References (5)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-46809
• WEBlists.debian.org/debian-lts-announce/2024/03/msg00029.html
• WEBlists.debian.org/debian-lts-announce/2024/09/msg00029.html
• WEBnodejs.org/en/blog/vulnerability/february-2024-security-releases