{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46234", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-19T20:34:00.946Z", "datePublished": "2023-10-26T14:31:35.895Z", "dateUpdated": "2025-02-13T17:14:23.092Z"}, "containers": {"cna": {"title": "browserify-sign vulnerable via an upper bound check issue in `dsaVerify` that leads to a signature forgery attack", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw"}, {"name": "https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30", "tags": ["x_refsource_MISC"], "url": "https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00040.html"}, {"url": "https://www.debian.org/security/2023/dsa-5539"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/"}], "affected": [{"vendor": "browserify", "product": "browserify-sign", "versions": [{"version": ">= 2.6.0, <= 4.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-28T02:06:00.712Z"}, "descriptions": [{"lang": "en", "value": "browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2."}], "source": {"advisory": "GHSA-x9w5-v3q2-3rhw", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:37:40.270Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw"}, {"name": "https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00040.html", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5539", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:browserify:browserify-sign:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "DE51BF6D-53CC-41A1-9530-BD9B1DCFBE6D", "versionEndExcluding": "4.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2."}, {"lang": "es", "value": "browserify-sign es un paquete para duplicar la funcionalidad de las funciones de clave p\u00fablica criptogr\u00e1fica del nodo, gran parte de esto se basa en el trabajo de Fedor Indutny en indutny/tls.js. Un problema de verificaci\u00f3n de l\u00edmite superior en la funci\u00f3n `dsaVerify` permite a un atacante construir firmas que pueden verificarse con \u00e9xito mediante cualquier clave p\u00fablica, lo que lleva a un ataque de falsificaci\u00f3n de firmas. Todos los lugares de este proyecto que implican la verificaci\u00f3n DSA de las firmas ingresadas por los usuarios se ver\u00e1n afectados por esta vulnerabilidad. Este problema se solucion\u00f3 en la versi\u00f3n 4.2.2."}], "id": "CVE-2023-46234", "lastModified": "2025-02-13T18:15:34.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-26T15:15:09.087", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00040.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5539"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00040.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5539"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "jaeger-agent-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "jaeger-all-in-one-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "jaeger-collector-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "jaeger-es-index-cleaner-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "jaeger-es-rollover-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "jaeger-ingester-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "jaeger-operator-bundle-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "jaeger-operator-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "jaeger-query-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "opentelemetry-collector-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "opentelemetry-operator-bundle-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "opentelemetry-operator-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "tempo-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "tempo-gateway-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "tempo-gateway-opa-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "tempo-operator-bundle-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "tempo-operator-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2023:6180", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:2.9::el8", "package": "tempo-query-container", "product_name": "Red Hat OpenShift distributed tracing 2", "release_date": "2023-10-30T00:00:00Z"}], "bugzilla": {"description": "browserify-sign: upper bound check issue in dsaVerify leads to a signature forgery attack", "id": "2246470", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2246470"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-347", "details": ["browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.", "A flaw was found in browserify-sign node package. This issue may allow a malicious user to execute a signature forgery attack by not correctly checking cryptographic signatures for DSA data, resulting in a jeopardized environment."], "mitigation": {"lang": "en:us", "value": "No current mitigation is yet available for this flaw."}, "name": "CVE-2023-46234", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-api-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-db-migration-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "browserify-sign", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Will not fix", "package_name": "openshift-service-mesh/kiali-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "browserify-sign", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/console-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "aap-azure-ui", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "browserify-sign", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:certifications:1::el7", "fix_state": "Affected", "package_name": "redhat-certification", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Affected", "package_name": "browserify-sign", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh-hub-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mozjs60", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "polkit", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "impact": "low", "package_name": "browserify-sign", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "browserify-sign", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "browserify-sign", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "browserify-sign", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "browserify-sign", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/ose-console", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Out of support scope", "package_name": "ocs4/mcg-core-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/mcg-core-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/dashboard-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Affected", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Affected", "package_name": "rhosdt/jaeger-all-in-one-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Affected", "package_name": "rhosdt/jaeger-collector-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Affected", "package_name": "rhosdt/jaeger-es-index-cleaner-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Affected", "package_name": "rhosdt/jaeger-es-rollover-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Affected", "package_name": "rhosdt/jaeger-ingester-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Affected", "package_name": "rhosdt/jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/argo-rollouts-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "browserify-sign", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "nodejs-webpack", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite:el8/rubygem-rabl", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "tfm-rubygem-rabl", "product_name": "Red Hat Satellite 6"}], "public_date": "2023-10-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-46234\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-46234\nhttps://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw"], "statement": "An attacker could impact the integrity of a server when handling unknown input due to the lack of DSA verification, for example, pretending to be a legitimate user, gaining unauthorized access. Therefore, the impact for this vulnerability is important.\nRed Hat Fuse 7 uses browserify-sign as a transitive development dependency, hence the Low impact.", "threat_severity": "Important", "upstream_fix": "browserify-sign 4.2.2"}