GoogleOSV:GHSA-RH63-9QCF-83GFMarvin Attack of RSA and RSAOAEP decryption in jsrsasign
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L/E:P
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
35.4%
Impact
RSA PKCS#1.5 or RSAOAEP ciphertexts may be decrypted by this Marvin attack vulnerability.
Patches
update to jsrsasign 11.0.0.
Workarounds
Find and replace RSA and RSAOAEP decryption with other crypto library.
References
https://people.redhat.com/~hkario/marvin/
https://github.com/kjur/jsrsasign/issues/598
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732
https://vulners.com/cve/CVE-2024-21484
References
github.com/kjur/jsrsasign
github.com/kjur/jsrsasign/issues/598
github.com/kjur/jsrsasign/releases/tag/11.0.0
github.com/kjur/jsrsasign/security/advisories/GHSA-rh63-9qcf-83gf
nvd.nist.gov/vuln/detail/CVE-2024-21484
people.redhat.com/~hkario/marvin
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732
security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L/E:P
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
35.4%