CVE-2023-46809
First published: Fri Feb 16 2024(Updated: )
A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel during PKCS#1 v1.5 padding error handling. The vulnerability revealed significant timing differences in decryption for valid and invalid ciphertexts. This poses a serious threat as attackers could remotely exploit the vulnerability to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing Json Web Encryption messages. This vulnerability affects all users in all active release lines: 18.x, 20.x, and 21.x.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/node | <18.19.1 | 18.19.1 |
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2264570
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2264571
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2264572
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2264802
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2264800
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2264801
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2264803
- https://access.redhat.com/errata/RHSA-2024:1510
- https://access.redhat.com/errata/RHSA-2024:1688
- https://access.redhat.com/errata/RHSA-2024:1687
- https://access.redhat.com/errata/RHSA-2024:1880
- https://access.redhat.com/errata/RHSA-2024:1932
- https://bugzilla.redhat.com/show_bug.cgi?id=2264569
- https://nodejs.org/en/blog/vulnerability/february-2024-security-releases
- https://www.ibm.com/support/pages/node/7173592 (Advisory)
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-46809
- agent/software-canonical-lookup
- agent/type
- agent/author
- collector/nvd-api
- source/NVD
- agent/weakness
- agent/severity
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/ibm-support
- source/IBM
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/tags
- agent/description
- agent/trending
- package-manager/redhat
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp3