CVE-2023-46809

Advisory lineage Upstream: 0 Downstream: 22

Downstream

DEBIAN-CVE-2023-46809 DLA-3776-1 DLA-3886-1 DSA-5991-1 MGASA-2024-0046 OPENSUSE-SU-2024:13697-1

Deferred

Published: 07 Sept 2024, 16:03

Last modified:04 Nov 2025, 18:18

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.4 HIGH

v3.1 (cve.org)

EPSS Score

1.24% LOW

1% probability +0.17%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

07 Sept 2024, 16:03

Published

Vulnerability first disclosed

04 Nov 2025, 18:18

Last Modified

Vulnerability information updated

Description

Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.

CVSS Metrics

v3.1•HIGH•Score: 7.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Trends

Current EPSS score: 1.24%• Percentile: 80%

Techniques & Countermeasures

CWE-385•Covert Timing Channel
Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.

Affected Systems

nodejs•node
≥ 4.0, < 4.* | ≥ 5.0, < 5.* | ≥ 6.0, < 6.* | ≥ 7.0, < 7.* | ≥ 8.0, < 8.* | ≥ 9.0, < 9.* | ≥ 10.0, < 10.* | ≥ 11.0, < 11.* | ≥ 12.0, < 12.* | ≥ 13.0, < 13.* | ≥ 14.0, < 14.* | ≥ 15.0, < 15.* | ≥ 16.0, < 16.* | ≥ 17.0, < 17.* | ≥ 18.0, < 18.19.1 | ≥ 19.0, < 19.* | ≥ 20.0, < 20.11.1 | ≥ 21.0, < 21.6.2