CVE-2023-46809

Name of the Vulnerable Software and Affected Versions Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched

Description The issue is related to the use of hidden side channels in the PrivateDecrypt() function of the Node.js cryptographic library, due to a timing discrepancy in the decryption of valid and invalid encrypted texts based on the PKCS#1 v1.5 cryptography standard. This allows a remote attacker to implement a Bleichenbacher or Marvin attack. The vulnerability is exploited when PKCS #1 v1.5 padding is allowed during RSA decryption using a private key.

Recommendations As a temporary workaround, consider disabling the use of PKCS #1 v1.5 padding when performing RSA decryption using a private key until a patch is available. Restrict access to the PrivateDecrypt() function to minimize the risk of exploitation. Avoid using the PrivateDecrypt() function with unpatched versions of OpenSSL until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.