gsd-2024-21484
Vulnerability from gsd
Modified
2023-12-23 06:02
Details
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting this vulnerability. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.
Workaround
This vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2024-21484"
],
"details": "Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting this vulnerability. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.\r\r Workaround \r\rThis vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.",
"id": "GSD-2024-21484",
"modified": "2023-12-23T06:02:09.508178Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2024-21484",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jsrsasign",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "0",
"version_value": "11.0.0"
}
]
}
},
{
"product_name": "org.webjars.npm:jsrsasign",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "0",
"version_value": "*"
}
]
}
},
{
"product_name": "org.webjars.bowergithub.kjur:jsrsasign",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "0",
"version_value": "*"
}
]
}
},
{
"product_name": "org.webjars.bower:jsrsasign",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "0",
"version_value": "*"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credits": [
{
"lang": "en",
"value": "Hubert Kario"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.\r\r Workaround \r\rThe vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L/E:P",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-203",
"lang": "eng",
"value": "Observable Discrepancy"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731",
"refsource": "MISC",
"url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731"
},
{
"name": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732",
"refsource": "MISC",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732"
},
{
"name": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733",
"refsource": "MISC",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733"
},
{
"name": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734",
"refsource": "MISC",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734"
},
{
"name": "https://github.com/kjur/jsrsasign/issues/598",
"refsource": "MISC",
"url": "https://github.com/kjur/jsrsasign/issues/598"
},
{
"name": "https://github.com/kjur/jsrsasign/releases/tag/11.0.0",
"refsource": "MISC",
"url": "https://github.com/kjur/jsrsasign/releases/tag/11.0.0"
},
{
"name": "https://people.redhat.com/~hkario/marvin/",
"refsource": "MISC",
"url": "https://people.redhat.com/~hkario/marvin/"
}
]
}
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "4651F559-5FE3-40F1-94FD-355954307381",
"versionEndExcluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.\r\r Workaround \r\rThe vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library."
},
{
"lang": "es",
"value": "Las versiones del paquete jsrsasign anteriores a 11.0.0 son vulnerables a la discrepancia observable a trav\u00e9s del proceso de descifrado RSA PKCS1.5 o RSAOAEP. Un atacante puede descifrar textos cifrados aprovechando esta vulnerabilidad. Explotar esta vulnerabilidad requiere que el atacante tenga acceso a una gran cantidad de textos cifrados con la misma clave. Workaround esta vulnerabilidad se puede mitigar buscando y reemplazando el descifrado RSA y RSAOAEP con otra librer\u00eda criptogr\u00e1fica."
}
],
"id": "CVE-2024-21484",
"lastModified": "2024-03-06T14:15:47.533",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.7,
"source": "report@snyk.io",
"type": "Secondary"
}
]
},
"published": "2024-01-22T05:15:08.720",
"references": [
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/kjur/jsrsasign/issues/598"
},
{
"source": "report@snyk.io",
"tags": [
"Patch",
"Release Notes"
],
"url": "https://github.com/kjur/jsrsasign/releases/tag/11.0.0"
},
{
"source": "report@snyk.io",
"url": "https://people.redhat.com/~hkario/marvin/"
},
{
"source": "report@snyk.io",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734"
},
{
"source": "report@snyk.io",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733"
},
{
"source": "report@snyk.io",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732"
},
{
"source": "report@snyk.io",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731"
}
],
"sourceIdentifier": "report@snyk.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "report@snyk.io",
"type": "Secondary"
}
]
}
}
}
}
Loading...