CVE-2023-46809
First published: Fri Feb 16 2024(Updated: )
A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel during PKCS#1 v1.5 padding error handling. The vulnerability revealed significant timing differences in decryption for valid and invalid ciphertexts. This poses a serious threat as attackers could remotely exploit the vulnerability to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing Json Web Encryption messages. This vulnerability affects all users in all active release lines: 18.x, 20.x, and 21.x.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/node | <18.19.1 | 18.19.1 |
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2264570
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2264571
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2264572
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2264802
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2264800
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2264801
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2264803
- https://access.redhat.com/errata/RHSA-2024:1510
- https://access.redhat.com/errata/RHSA-2024:1688
- https://access.redhat.com/errata/RHSA-2024:1687
- https://access.redhat.com/errata/RHSA-2024:1880
- https://access.redhat.com/errata/RHSA-2024:1932
- https://bugzilla.redhat.com/show_bug.cgi?id=2264569
- https://nodejs.org/en/blog/vulnerability/february-2024-security-releases
- https://www.ibm.com/support/pages/node/7173592 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2023-46809?
CVE-2023-46809 is considered a serious vulnerability that can lead to timing side-channel attacks during PKCS#1 v1.5 padding error handling.
How do I fix CVE-2023-46809?
To fix CVE-2023-46809, update the affected software to the latest patched versions provided by the vendor.
Which software does CVE-2023-46809 affect?
CVE-2023-46809 affects Node.js and different versions of IBM Cognos Analytics.
What type of attack can be performed using CVE-2023-46809?
CVE-2023-46809 allows attackers to exploit timing differences in decryption processes, potentially revealing sensitive data.
Is there a patch available for CVE-2023-46809?
Yes, patches are available for the affected versions of both Node.js and IBM Cognos Analytics.
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-46809
- agent/software-canonical-lookup
- agent/type
- agent/author
- collector/nvd-api
- source/NVD
- agent/weakness
- agent/severity
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/ibm-support
- source/IBM
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/description
- agent/trending
- agent/tags
- agent/source
- package-manager/redhat
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp3