UBUNTU-CVE-2023-46234
Advisory lineage Upstream: 1 Downstream: 1
Upstream
Downstream
Published: 26 Oct 2023, 15:15
Last modified:04 Feb 2026, 04:26
Vulnerability Summary
Overall Risk (default)
medium
26/100 CVSS Score
6.5 MEDIUM
3.1 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
26 Oct 2023, 15:15
Published
Vulnerability first disclosed
04 Feb 2026, 04:26
Last Modified
Vulnerability information updated
Description
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
CVSS Metrics
- v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected Systems
- ubuntu•node-browserify-sign
< 4.0.4-2ubuntu0.18.04.1~esm1 | < 4.0.4-2ubuntu0.20.04.1 | < 4.2.1-2ubuntu0.1
References (5)
- https://ubuntu.com/security/CVE-2023-46234
- https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
- https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30
- https://www.cve.org/CVERecord?id=CVE-2023-46234
- https://ubuntu.com/security/notices/USN-6800-1