3 matches found
CVE-2020-14967
An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts it decrypts modified ciphertexts without error. An attacker might prepend these bytes with the...
@10yun/cv-mobile-ui (=0.3.20), @1auth/authn-webauthn (>=0.0.0-alpha.0 <=0.0.0-alpha.3) +1438 more potentially affected by CVE-2020-14967 via jsrsasign (>=0.0.3 <=8.0.17)
jsrsasign NPM version =0.0.3, =0.0.0-alpha.0, =0.0.1, =7.4.0, =7.4.0, =0.14.7, =2.0.1-alpha.0, =1.0.0, =1.0.0, =2.0.1-alpha.0, =1.0.0, =1.0.0, =1.0.17-beta.7, =0.9.0, =1.0.0-alpha.0, =1.0.0-alpha.34 and more Source cves: CVE-2020-14967 Source advisory: OSV:GHSA-XXXQ-CHMP-67G4...
CVE-2020-14967
CVE-2020-14967 affects the jsrsasign package for Node.js prior to version 8.0.18. The RSA PKCS1 v1.5 decryption path does not detect ciphertext modifications when zeros are prepended to ciphertexts, allowing modified ciphertexts to be decrypted without error and potentially triggering memory corr...