CVE-2023-46809

CVE Details

Release Date:

2024-02-16

Description

A flaw was found in Node.js. The privateDecrypt() API of the crypto library may allow a covert timing side-channel during PKCS#1 v1.5 padding error handling. This issue revealed significant timing differences in decryption for valid and invalid ciphertexts, which may allow a remote attacker to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing JSON Web Encryption messages.

See more information about CVE-2023-46809 from MITRE CVE dictionary and NIST NVD

CVSS v3.0 metrics

NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.

Base Score:	5.9	Base Metrics:	AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Access Vector:	Network	Attack Complexity:	High
Privileges Required:	None	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	High
Integrity Impact:	None	Availability Impact:	None

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (nodejs)	ELSA-2024-1510	2024-03-26
Oracle Linux version 8 (nodejs)	ELSA-2024-1687	2024-04-08
Oracle Linux version 8 (nodejs-nodemon)	ELSA-2024-1510	2024-03-26
Oracle Linux version 8 (nodejs-nodemon)	ELSA-2024-1687	2024-04-08
Oracle Linux version 8 (nodejs-packaging)	ELSA-2024-1510	2024-03-26
Oracle Linux version 8 (nodejs-packaging)	ELSA-2024-1687	2024-04-08
Oracle Linux version 9 (nodejs)	ELSA-2024-1503	2024-03-26
Oracle Linux version 9 (nodejs)	ELSA-2024-1688	2024-04-08
Oracle Linux version 9 (nodejs-nodemon)	ELSA-2024-1503	2024-03-26
Oracle Linux version 9 (nodejs-nodemon)	ELSA-2024-1688	2024-04-08
Oracle Linux version 9 (nodejs-packaging)	ELSA-2024-1503	2024-03-26
Oracle Linux version 9 (nodejs-packaging)	ELSA-2024-1688	2024-04-08

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team