CVE-2024-21484
Vulnerability from cvelistv5
Published
2024-01-22 05:00
Modified
2024-10-21 10:56
Severity ?
EPSS score ?
Summary
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.
Workaround
The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
References
▼ | URL | Tags | |
---|---|---|---|
report@snyk.io | https://github.com/kjur/jsrsasign/issues/598 | Exploit, Issue Tracking, Vendor Advisory | |
report@snyk.io | https://github.com/kjur/jsrsasign/releases/tag/11.0.0 | Patch, Release Notes | |
report@snyk.io | https://people.redhat.com/~hkario/marvin/ | ||
report@snyk.io | https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734 | Patch, Third Party Advisory | |
report@snyk.io | https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733 | Patch, Third Party Advisory | |
report@snyk.io | https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732 | Patch, Third Party Advisory | |
report@snyk.io | https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731 | Patch, Third Party Advisory |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-01T22:20:40.779Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731" }, { "tags": [ "x_transferred" ], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732" }, { "tags": [ "x_transferred" ], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733" }, { "tags": [ "x_transferred" ], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734" }, { "tags": [ "x_transferred" ], "url": "https://github.com/kjur/jsrsasign/issues/598" }, { "tags": [ "x_transferred" ], "url": "https://github.com/kjur/jsrsasign/releases/tag/11.0.0" }, { "tags": [ "x_transferred" ], "url": "https://people.redhat.com/~hkario/marvin/" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-21484", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-01-23T16:15:40.631419Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-21T10:56:23.141Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "jsrsasign", "vendor": "n/a", "versions": [ { "lessThan": "11.0.0", "status": "affected", "version": "0", "versionType": "semver" } ] }, { "product": "org.webjars.npm:jsrsasign", "vendor": "n/a", "versions": [ { "lessThan": "*", "status": "affected", "version": "0", "versionType": "semver" } ] }, { "product": "org.webjars.bowergithub.kjur:jsrsasign", "vendor": "n/a", "versions": [ { "lessThan": "*", "status": "affected", "version": "0", "versionType": "semver" } ] }, { "product": "org.webjars.bower:jsrsasign", "vendor": "n/a", "versions": [ { "lessThan": "*", "status": "affected", "version": "0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "value": "Hubert Kario" } ], "descriptions": [ { "lang": "en", "value": "Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.\r\r Workaround \r\rThe vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L/E:P", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-203", "description": "Observable Discrepancy", "lang": "en" } ] } ], "providerMetadata": { "dateUpdated": "2024-03-06T14:09:29.400Z", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk" }, "references": [ { "url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731" }, { "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732" }, { "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733" }, { "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734" }, { "url": "https://github.com/kjur/jsrsasign/issues/598" }, { "url": "https://github.com/kjur/jsrsasign/releases/tag/11.0.0" }, { "url": "https://people.redhat.com/~hkario/marvin/" } ] } }, "cveMetadata": { "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2024-21484", "datePublished": "2024-01-22T05:00:02.087Z", "dateReserved": "2023-12-22T12:33:20.117Z", "dateUpdated": "2024-10-21T10:56:23.141Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-21484\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2024-01-22T05:15:08.720\",\"lastModified\":\"2024-03-06T14:15:47.533\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.\\r\\r Workaround \\r\\rThe vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.\"},{\"lang\":\"es\",\"value\":\"Las versiones del paquete jsrsasign anteriores a 11.0.0 son vulnerables a la discrepancia observable a trav\u00e9s del proceso de descifrado RSA PKCS1.5 o RSAOAEP. Un atacante puede descifrar textos cifrados aprovechando esta vulnerabilidad. Explotar esta vulnerabilidad requiere que el atacante tenga acceso a una gran cantidad de textos cifrados con la misma clave. Workaround esta vulnerabilidad se puede mitigar buscando y reemplazando el descifrado RSA y RSAOAEP con otra librer\u00eda criptogr\u00e1fica.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]},{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"11.0.0\",\"matchCriteriaId\":\"4651F559-5FE3-40F1-94FD-355954307381\"}]}]}],\"references\":[{\"url\":\"https://github.com/kjur/jsrsasign/issues/598\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/kjur/jsrsasign/releases/tag/11.0.0\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\",\"Release Notes\"]},{\"url\":\"https://people.redhat.com/~hkario/marvin/\",\"source\":\"report@snyk.io\"},{\"url\":\"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.