Lucene search

K
cvelistSnykCVELIST:CVE-2022-25898
HistoryJul 01, 2022 - 12:00 a.m.

CVE-2022-25898 Improper Verification of Cryptographic Signature

2022-07-0100:00:00
snyk
www.cve.org
1
cve-2022-25898
jsrsasign
improper verification

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H/E:P

9.7 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.7%

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.

CNA Affected

[
  {
    "product": "jsrsasign",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "10.5.25",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H/E:P

9.7 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.7%

Related for CVELIST:CVE-2022-25898