Lucene search

[email protected]CVE-2024-21484

HistoryJan 22, 2024 - 5:15 a.m.

CVE-2024-21484

2024-01-2205:15:08

CWE-203

[email protected]

web.nvd.nist.gov

cve

2024

21484

vulnerability

jsrsasign

observable discrepancy

rsa

pkcs1.5

rsaoaep

decryption

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L/E:P

5.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.7%

JSON

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.

Workaround

The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.

Affected configurations

NVD

Node

jsrsasign_projectjsrsasignRange<11.0.0node.js

CPENameOperatorVersion
jsrsasign_project:jsrsasignjsrsasign project jsrsasignlt11.0.0

CPE	Name	Operator	Version
jsrsasign_project:jsrsasign	jsrsasign project jsrsasign	lt	11.0.0

CNA Affected

[
  {
    "product": "jsrsasign",
    "versions": [
      {
        "version": "0",
        "lessThan": "11.0.0",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  },
  {
    "product": "org.webjars.npm:jsrsasign",
    "versions": [
      {
        "version": "0",
        "lessThan": "*",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  },
  {
    "product": "org.webjars.bowergithub.kjur:jsrsasign",
    "versions": [
      {
        "version": "0",
        "lessThan": "*",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  },
  {
    "product": "org.webjars.bower:jsrsasign",
    "versions": [
      {
        "version": "0",
        "lessThan": "*",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]