Lucene search

PRIOn knowledge basePRION:CVE-2024-21484

HistoryJan 22, 2024 - 5:15 a.m.

Spoofing

2024-01-2205:15:00

PRIOn knowledge base

www.prio-n.com

spoofing

observable discrepancy

rsa

pkcs1.5

rsaoaep

decryption

marvin

vulnerability

attacker

ciphertexts

crypto library

nvd

5.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.4%

JSON

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.

Workaround

The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.

CPENameOperatorVersion
jsrsasignlt11.0.0

CPE	Name	Operator	Version
	jsrsasign	lt	11.0.0

References

github.com/kjur/jsrsasign/issues/598

github.com/kjur/jsrsasign/releases/tag/11.0.0

people.redhat.com/~hkario/marvin/

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732

security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731