CVE-2023-46234 (High) detected in browserify-sign-4.0.4.tgz, browserify-sign-4.2.1.tgz #305
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-46234 - High Severity Vulnerability
browserify-sign-4.0.4.tgz
adds node crypto signing for browsers
Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browserify-sign/package.json
Dependency Hierarchy:
browserify-sign-4.2.1.tgz
adds node crypto signing for browsers
Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.2.1.tgz
Path to dependency file: /packages/react-server-integration-tests/package.json
Path to vulnerable library: /packages/react-server-integration-tests/node_modules/browserify-sign/package.json,/packages/react-server-examples/meteor-site/node_modules/browserify-sign/package.json,/packages/react-server-examples/bike-share/node_modules/browserify-sign/package.json,/packages/generator-react-server/node_modules/browserify-sign/package.json,/packages/react-server-examples/hello-world/node_modules/browserify-sign/package.json,/packages/react-server-website/node_modules/react-server-cli/node_modules/browserify-sign/package.json,/packages/react-server-cli/node_modules/browserify-sign/package.json,/packages/react-server-examples/code-splitting/node_modules/browserify-sign/package.json,/packages/react-server-examples/redux-basic/node_modules/browserify-sign/package.json,/packages/react-server-test-pages/node_modules/react-server-cli/node_modules/browserify-sign/package.json
Dependency Hierarchy:
Found in HEAD commit: fc4f63cd9d7cfd34b5d6322a49f9b670bd83cb27
Found in base branch: master
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in
dsaVerifyfunction allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.Publish Date: 2023-10-26
URL: CVE-2023-46234
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-x9w5-v3q2-3rhw
Release Date: 2023-10-26
Fix Resolution (browserify-sign): 4.2.2
Direct dependency fix Resolution (react-server-cli): 0.7.1
⛑️ Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: