CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
83.0%
Jsrsasign supports ECDSA signature validation which signature value is represented by ASN.1 DER encoding. This vulnerablity may accept a wrong ASN.1 DER encoded ECDSA signature such as:
This vulnerability was fixed by strict ASN.1 DER checking.
Here is an assessment of this vulnerability:
As discussed here, there is no standards like X9.62 which requires ASN.1 DER. So ASN.1 BER can be applied to ECDSA however most of implementations like OpenSSL do strict ASN.1 DER checking.
Users using ECDSA signature validation should upgrade to 8.0.19.
Do strict ASN.1 DER checking for ASN.1 encoded ECDSA signature value.
https://nvd.nist.gov/vuln/detail/CVE-2020-14966
https://vulners.com/cve/CVE-2020-14966
https://vuldb.com/?id.157123
https://github.com/kjur/jsrsasign/issues/437
https://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.ECDSA.html
https://kjur.github.io/jsrsasign/api/symbols/ASN1HEX.html#.checkStrictDER
https://www.itu.int/rec/T-REC-X.690
Vendor | Product | Version | CPE |
---|---|---|---|
jsrsasign_project | jsrsasign | * | cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:* |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14966
github.com/advisories/GHSA-p8c3-7rj8-q963
github.com/kjur/jsrsasign/commit/6087412d072a57074d3c4c1b40bdde0460d53a7f
github.com/kjur/jsrsasign/issues/437
github.com/kjur/jsrsasign/releases/tag/8.0.17
github.com/kjur/jsrsasign/releases/tag/8.0.18
github.com/kjur/jsrsasign/security/advisories/GHSA-p8c3-7rj8-q963
kjur.github.io/jsrsasign/
kjur.github.io/jsrsasign/api/symbols/ASN1HEX.html#.checkStrictDER
kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.ECDSA.html
nvd.nist.gov/vuln/detail/CVE-2020-14966
security.netapp.com/advisory/ntap-20200724-0001/
vuldb.com/?id.157123
www.npmjs.com/package/jsrsasign
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
83.0%