jsrsasign uses a malleable ECDSA signature. The vulnerability exists as it does not check for overflows in the length of a sequence, and allows 0
characters appended or prepended to an integer to be verified as the same as without the extra 0
characters.
github.com/advisories/GHSA-p8c3-7rj8-q963
github.com/kjur/jsrsasign/commit/59cc1cce9467cdaafd42bdf272434ef8acbe7189
github.com/kjur/jsrsasign/issues/437
github.com/kjur/jsrsasign/releases/tag/8.0.17
github.com/kjur/jsrsasign/releases/tag/8.0.18
github.com/kjur/jsrsasign/releases/tag/8.0.19
kjur.github.io/jsrsasign/
security.netapp.com/advisory/ntap-20200724-0001/
www.npmjs.com/package/jsrsasign