CVE-2023-46234

CVSS V2 None CVSS V3 None

Description

browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.

Overview

CVE ID
CVE-2023-46234

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2023-10-26T14:31:35.895Z

Last Modified Date
2023-10-26T14:31:35.895Z

Weakness Enumerations

CWE	URL
CWE-347	http://cwe.mitre.org/data/definitions/347.html

References

Reference URL	Reference Tags
https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw	x_refsource_CONFIRM
https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30	x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2023/10/msg00040.html
https://www.debian.org/security/2023/dsa-5539
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-46234
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46234

History

Created	Old Value	New Value	Data Type	Notes
2024-06-24 22:22:47				Added to TrackCVE