CVE-2023-46234

HIGH EPSS 39.5%
Published Oct 26, 20232y ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Oct 26, 2023 2y ago
Last Modified Jun 17, 2026 1w ago

Description

browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
39.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-347

Affected Products 3

VendorProductVersionRange
browserifybrowserify-sign* <4.2.2
debiandebian_linux11.0any
debiandebian_linux12.0any

References 6

  • github.com https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30
    Third Party Advisory
  • github.com https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
    Third Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2023/10/msg00040.html
    Third Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/
    Release Notes
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/
    Release Notes
  • debian.org https://www.debian.org/security/2023/dsa-5539
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.