Lucene search
Veracode Vulnerability DatabaseVERACODE:25740HistoryJun 23, 2020 - 3:28 a.m.
Incorrect Signature Validation
2020-06-2303:28:01
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
4
0.017 Low
EPSS
Percentile
87.7%
jsrsasign uses an incorrect signature validation. It is possible because its RSASSA-PSS (RSA-PSS) implementation has a flaw which accepts manipulated/modified signatures as valid signatures by prepending ‘\0’ bytes to a signature and also allows an attacker to send multiple valid signatures to corrupt memory.
References
github.com/kjur/jsrsasign/commit/3bcc088c727658d7235854cd2a409a904cc2ce99
github.com/kjur/jsrsasign/issues/438
github.com/kjur/jsrsasign/releases/tag/8.0.17
github.com/kjur/jsrsasign/releases/tag/8.0.18
kjur.github.io/jsrsasign/
security.netapp.com/advisory/ntap-20200724-0001/
www.npmjs.com/package/jsrsasign
Related
cve
cve
CVE-2020-14968
2020-06-22 12:15:10
nodejs
nodejs
Improper Verification of Cryptographic Signature
2020-06-23 18:39:40
osv
osv
RSA-PSS signature validation vulnerability by prepending zeros in jsrsasign
2020-06-26 16:26:50
CVE-2020-14968
2020-06-22 12:15:10
cvelist
cvelist
CVE-2020-14968
2020-06-22 11:19:49
nvd
nvd
CVE-2020-14968
2020-06-22 12:15:10
prion
prion
Memory corruption
2020-06-22 12:15:00
github
github
RSA-PSS signature validation vulnerability by prepending zeros in jsrsasign
2020-06-26 16:26:50