VDB
CVE-2023-46809
CVE-2023-46809
PUBLISHED
Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.
EPSS 1.24% · 79.6th percentile
Risk Scores
EPSS Score
1.24%
79.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | node | 0, 19.0.0, 21.0.0 |
| Bitnami | node-min | 19.0.0, 0, 0 |
| Bitnami | node | 0, 19.0.0, 21.0.0 |
| Bitnami | node-min | 0, 19.0.0, 21.0.0 |
Exploit Intelligence
- Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) (hackerone)
- Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) (hackerone)
- Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) (hackerone)
- GenerationConfig.java (github-poc)
- GenerationConfig.java (github-poc)
- node_revert.h (github-poc)
- node_revert.h (github-poc)
- node_revert.h (github-poc)
- node_revert.h (github-poc)
- node_revert.h (github-poc)
…and 26 more exploits
Timeline
- CVE Published
- Feb 15, 2024 PoC Published
- Sep 8, 2024 EPSS Score
- Sep 28, 2024 EPSS Score
- Oct 18, 2024 EPSS Score
- Nov 7, 2024 EPSS Score
- Nov 27, 2024 EPSS Score
- Dec 18, 2024 EPSS Score
- Jan 7, 2025 EPSS Score
- Jan 27, 2025 EPSS Score
- Feb 15, 2025 EPSS Score
- Mar 7, 2025 EPSS Score