Home > Vulnerability Database > CVE-2023-46234

Mend.io Vulnerability Database

CVE-2023-46234

Good to know:

Date: October 26, 2023

browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.

Language: JS

Severity Score

6.5

Related Resources (11)

Url: https://lists.debian.org/debian-lts-announce/2023/10/msg00040.html

Url: https://www.debian.org/security/2023/dsa-5539

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-46234

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/

Url: https://github.com/browserify/browserify-sign

Url: https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ

Url: https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw

Url: https://www.mend.io/vulnerability-database/CVE-2023-46234

Severity Score

6.5

Weakness Type (CWE)

Improper Verification of Cryptographic Signature

CWE-347

Top Fix

Upgrade Version

Upgrade to version browserify-sign - 4.2.2

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-46234

Good to know:

Date: October 26, 2023

Language: JS

Severity Score

Related Resources (11)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?