Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.
Workaround
The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
References
Link | Resource |
---|---|
https://github.com/kjur/jsrsasign/issues/598 | Exploit Issue Tracking Vendor Advisory |
https://github.com/kjur/jsrsasign/releases/tag/11.0.0 | Patch Release Notes |
https://people.redhat.com/~hkario/marvin/ | |
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734 | Patch Third Party Advisory |
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733 | Patch Third Party Advisory |
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732 | Patch Third Party Advisory |
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731 | Patch Third Party Advisory |
Configurations
History
06 Mar 2024, 14:15
Type | Values Removed | Values Added |
---|---|---|
Summary | (en) Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library. |
27 Feb 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Feb 2024, 14:15
Type | Values Removed | Values Added |
---|---|---|
Summary | (en) Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting this vulnerability. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library. |
29 Jan 2024, 19:29
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:* | |
CWE | CWE-203 | |
References | () https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733 - Patch, Third Party Advisory | |
References | () https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734 - Patch, Third Party Advisory | |
References | () https://github.com/kjur/jsrsasign/releases/tag/11.0.0 - Patch, Release Notes | |
References | () https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732 - Patch, Third Party Advisory | |
References | () https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731 - Patch, Third Party Advisory | |
References | () https://github.com/kjur/jsrsasign/issues/598 - Exploit, Issue Tracking, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.9 |
22 Jan 2024, 14:01
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-22 05:15
Updated : 2024-03-06 14:15
NVD link : CVE-2024-21484
Mitre link : CVE-2024-21484
CVE.ORG link : CVE-2024-21484
JSON object : View
Products Affected
jsrsasign_project
- jsrsasign
CWE
CWE-203
Observable Discrepancy