CVE-2024-21484
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
35.4%
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.
Workaround
The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
Affected configurations
References
github.com/kjur/jsrsasign/issues/598
github.com/kjur/jsrsasign/releases/tag/11.0.0
people.redhat.com/~hkario/marvin/
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732
security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
35.4%