Jsrsasign
CVE-2024-21484
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 72 npm packages depend on jsrsasign (14 direct, 58 indirect)
Ecosystem-wide dependent count for version 11.0.0.
DescriptionNVD
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
AnalysisAI
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-203. Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library. Affected products include: Kjur Jsrsasign. Version information: before 11.0.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Rated critical severity (CVSS 9.8), this vul
An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Rated critical severity (CVSS 9.8), this vul
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The jsrsasign JavaScript cryptographic library contains a critical vulnerability in its random number generation functio
In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized
Private key recovery is possible in jsrsasign versions before 11.1.1 when attackers force invalid DSA signatures with ze
Cryptographic signature bypass in jsrsasign before 11.1.1 allows remote attackers to forge DSA signatures and X.509 cert
The jsrsasign JavaScript library contains an infinite loop vulnerability in the BigInteger.modInverse function that allo
The jsrsasign JavaScript library before version 11.1.1 contains a vulnerability that allows attackers to break signature
jsrsasign versions before 11.1.1 contain a division by zero vulnerability in RSA public-key operations caused by imprope
Same weakness CWE-203 – Observable Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today