Covert Timing Channel

CVE-2023-46809

High

7.4/10

Summary

Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - "https://people.redhat.com/~hkario/marvin/", if "PCKS #1 v1.5" padding is allowed when performing RSA decryption using a private key. This vulnerability affects nodejs package versions 18.x prior to 18.19.1, 20.x prior to 20.11.1, 21.x prior to 21.6.2.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-385 - Covert Timing Channel

Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.

References

Advisory
Issue

Advisory Timeline

Published Sep 07, 2024

Covert Timing Channel

CVE-2023-46809

Summary

CWE-385 - Covert Timing Channel

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS