CVE-2024-21484
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
22/01/2024
Last modified:
06/03/2024
Description
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.<br />
<br />
Workaround <br />
<br />
The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
Impact
Base Score 3.x
5.90
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:* | 11.0.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/kjur/jsrsasign/issues/598
- https://github.com/kjur/jsrsasign/releases/tag/11.0.0
- https://people.redhat.com/~hkario/marvin/
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732
- https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731