Skip to main content

Jsrsasign CVE-2024-21484

MEDIUM
Observable Discrepancy (CWE-203)
2024-01-22 report@snyk.io
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jan 22, 2024 - 05:15 nvd
MEDIUM 5.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 72 npm packages depend on jsrsasign (14 direct, 58 indirect)

Ecosystem-wide dependent count for version 11.0.0.

DescriptionNVD

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.

AnalysisAI

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-203. Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library. Affected products include: Kjur Jsrsasign. Version information: before 11.0.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2020-14968 CRITICAL POC
9.8 Jun 22

An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Rated critical severity (CVSS 9.8), this vul

CVE-2020-14967 CRITICAL POC
9.8 Jun 22

An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Rated critical severity (CVSS 9.8), this vul

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2026-4599 CRITICAL
9.3 Mar 23

The jsrsasign JavaScript cryptographic library contains a critical vulnerability in its random number generation functio

CVE-2021-30246 CRITICAL
9.1 Apr 07

In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized

CVE-2026-4601 HIGH
8.8 Mar 23

Private key recovery is possible in jsrsasign versions before 11.1.1 when attackers force invalid DSA signatures with ze

CVE-2026-4600 HIGH
8.1 Mar 23

Cryptographic signature bypass in jsrsasign before 11.1.1 allows remote attackers to forge DSA signatures and X.509 cert

CVE-2026-4598 HIGH
7.7 Mar 23

The jsrsasign JavaScript library contains an infinite loop vulnerability in the BigInteger.modInverse function that allo

CVE-2026-4602 HIGH
7.7 Mar 23

The jsrsasign JavaScript library before version 11.1.1 contains a vulnerability that allows attackers to break signature

CVE-2026-4603 LOW POC
2.0 Mar 23

jsrsasign versions before 11.1.1 contain a division by zero vulnerability in RSA public-key operations caused by imprope

Share

CVE-2024-21484 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy