browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-10-26T14:31:35.895Z
Updated: 2023-10-26T14:31:35.895Z
Reserved: 2023-10-19T20:34:00.946Z
Link: CVE-2023-46234
JSON object: View
NVD Information
Status : Modified
Published: 2023-10-26T15:15:09.087
Modified: 2024-02-28T03:15:07.220
Link: CVE-2023-46234
JSON object: View
Redhat Information
No data.
CWE