CVE-2023-46809

HIGH

Node.js < 18.19.1, 20.11.1, 21.6.2 - Covert Timing Channel via RSA Decryption with PKCS #1 v1.5 Padding

Title source: llm

Description

Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.

References (3)

Core 3

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html

Various Sources

https://nodejs.org/en/blog/vulnerability/february-2024-security-releases

Mailing List

https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html

Scores

CVSS v3 7.4

EPSS 0.0124

EPSS Percentile 79.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-385

Status published

Products (18)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 16.0 - 16.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 18.0 - 18.19.1

NodeJS/Node 19.0 - 19.*

... and 8 more

Published Sep 07, 2024

Tracked Since Feb 18, 2026