browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-98021 advisory.

  - browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of     this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify`     function allows an attacker to construct signatures that can be successfully verified by any public key,     thus leading to a signature forgery attack. All places in this project that involve DSA verification of     user-input signatures will be affected by this vulnerability. This issue has been patched in version     4.2.2. (CVE-2023-46234)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 host has a package installed that is affected by a vulnerability as referenced in the USN-6800-1 advisory.

    It was discovered that browserify-sign incorrectly handled an upper bound check in signature verification.
    If a user or an automated system were tricked into opening a specially crafted input file, a remote     attacker could possibly use this issue to perform a signature forgery attack.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-28fc0c2ef4 advisory.

    Update to 1.22.21, add fixes for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-5ecc250449 advisory.

    Update to 1.22.21, add fixes for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has a package installed that is affected by a vulnerability as referenced in the dsa-5539 advisory.

  - browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of     this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify`     function allows an attacker to construct signatures that can be successfully verified by any public key,     thus leading to a signature forgery attack. All places in this project that involve DSA verification of     user-input signatures will be affected by this vulnerability. This issue has been patched in version     4.2.2. (CVE-2023-46234)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3635 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3635-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                                 Yadd     October 29, 2023                              https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : node-browserify-sign     Version        : 4.0.4-2+deb10u1     CVE ID         : CVE-2023-46234     Debian Bug     : 1054667

    An upper bound check issue in `dsaVerify` function has been discovered in     node-browserify-sign. This allows an attacker to construct signatures that     can be successfully verified by any public key, thus leading to a signature     forgery attack.

    For Debian 10 buster, this problem has been fixed in version     4.0.4-2+deb10u1.

    We recommend that you upgrade your node-browserify-sign packages.

    For the detailed security status of node-browserify-sign please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/node-browserify-sign

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
213705	Atlassian Confluence 7.11.x < 7.19.29 / 7.20.x < 8.5.17 / 8.6.x < 8.9.8 / 9.0.x < 9.1.1 (CONFSERVER-98021)	Nessus	CGI abuses	high
198155	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 : browserify-sign vulnerability (USN-6800-1)	Nessus	Ubuntu Local Security Checks	high
191080	Fedora 39 : yarnpkg (2024-28fc0c2ef4)	Nessus	Fedora Local Security Checks	critical
191079	Fedora 38 : yarnpkg (2024-5ecc250449)	Nessus	Fedora Local Security Checks	critical
184063	Debian DSA-5539-1 : node-browserify-sign - security update	Nessus	Debian Local Security Checks	high
184006	Debian dla-3635 : node-browserify-sign - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2023-46234

high

Tenable Plugins

high

high

critical

critical

high

high