{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46809", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2023-10-27T01:00:13.401Z", "datePublished": "2024-09-07T16:03:32.996Z", "dateUpdated": "2024-09-09T18:00:37.229Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Node", "product": "https://github.com/nodejs/node", "versions": [{"version": "21.6.0", "status": "affected", "lessThanOrEqual": "21.6.0", "versionType": "semver"}, {"version": "20.11.0", "status": "affected", "lessThanOrEqual": "20.11.0", "versionType": "semver"}, {"version": "18.19.0", "status": "affected", "lessThanOrEqual": "18.19.0", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases"}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2024-09-07T16:03:32.996Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-385", "lang": "en", "description": "CWE-385 Covert Timing Channel"}]}], "affected": [{"vendor": "nodejs", "product": "nodejs", "cpes": ["cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "18.0", "status": "affected", "lessThanOrEqual": "18.19.0", "versionType": "semver"}, {"version": "20.0", "status": "affected", "lessThanOrEqual": "20.11.0", "versionType": "semver"}, {"version": "21.0", "status": "affected", "lessThanOrEqual": "21.6.0", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-09-09T17:40:41.999808Z", "id": "CVE-2023-46809", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T18:00:37.229Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-46809", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-09T17:40:41.999808Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"], "vendor": "nodejs", "product": "nodejs", "versions": [{"status": "affected", "version": "18.0", "versionType": "semver", "lessThanOrEqual": "18.19.0"}, {"status": "affected", "version": "20.0", "versionType": "semver", "lessThanOrEqual": "20.11.0"}, {"status": "affected", "version": "21.0", "versionType": "semver", "lessThanOrEqual": "21.6.0"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-385", "description": "CWE-385 Covert Timing Channel"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T17:42:38.836Z"}}], "cna": {"affected": [{"vendor": "Node", "product": "https://github.com/nodejs/node", "versions": [{"status": "affected", "version": "21.6.0", "versionType": "semver", "lessThanOrEqual": "21.6.0"}, {"status": "affected", "version": "20.11.0", "versionType": "semver", "lessThanOrEqual": "20.11.0"}, {"status": "affected", "version": "18.19.0", "versionType": "semver", "lessThanOrEqual": "18.19.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases"}], "descriptions": [{"lang": "en", "value": "Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2024-09-07T16:03:32.996Z"}}}, "cveMetadata": {"cveId": "CVE-2023-46809", "state": "PUBLISHED", "dateUpdated": "2024-09-09T18:00:37.229Z", "dateReserved": "2023-10-27T01:00:13.401Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2024-09-07T16:03:32.996Z", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key."}, {"lang": "es", "value": "Las versiones de Node.js que incluyen una versi\u00f3n sin parches de OpenSSL o se ejecutan contra una versi\u00f3n vinculada din\u00e1micamente de OpenSSL que no tiene parches son vulnerables al ataque Marvin - https://people.redhat.com/~hkario/marvin/, si se permite el relleno PCKS #1 v1.5 al realizar el descifrado RSA usando una clave privada."}], "id": "CVE-2023-46809", "lastModified": "2024-09-09T18:35:01.803", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-09-07T16:15:02.343", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/february-2024-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-385"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1510", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:18-8090020240301110609.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-03-26T00:00:00Z"}, {"advisory": "RHSA-2024:1687", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:20-8090020240228165436.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-04-08T00:00:00Z"}, {"advisory": "RHSA-2024:1880", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "nodejs:18-8080020240322102042.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:1503", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:18-9030020240301111035.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-03-25T00:00:00Z"}, {"advisory": "RHSA-2024:1688", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:20-9030020240229115828.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-08T00:00:00Z"}, {"advisory": "RHSA-2024:1932", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "nodejs:18-9020020240322155241.rhel9", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-04-22T00:00:00Z"}], "bugzilla": {"description": "nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)", "id": "2264569", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264569"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-385->CWE-208", "details": ["Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.", "A flaw was found in Node.js. The privateDecrypt() API of the crypto library may allow a covert timing side-channel during PKCS#1 v1.5 padding error handling. This issue revealed significant timing differences in decryption for valid and invalid ciphertexts, which may allow a remote attacker to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing JSON Web Encryption messages."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-46809", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "nodejs:16/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-nodejs14-nodejs", "product_name": "Red Hat Software Collections"}], "public_date": "2024-02-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-46809\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-46809"], "statement": "This Node.js vulnerability poses a notable risk as it allows for covert timing side-channel attacks during RSA ciphertext decryption, potentially enabling attackers to decrypt captured data or forge signatures.\nIt's classified as \"Medium\" severity rather than important due to its dependency on specific conditions for exploitation, such as the use of the privateDecrypt() API with PKCS#1 v1.5 padding.", "threat_severity": "Moderate", "upstream_fix": "node 18.19.1"}