SNYK-JS-JSRSASIGN-6070731

SNYK-JS-JSRSASIGN-6070731 PUBLISHED CVSS 7.5 HIGH

## Overview [jsrsasign](https://www.npmjs.com/package/jsrsasign) is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Observable Discrepancy via the RSA PKCS#1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. ## Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library. ## Remediation Upgrade `jsrsasign` to version 11.0.0 or higher. ## References - [GitHub Commit](https://github.com/kjur/jsrsasign/releases/tag/11.0.0) - [GitHub Issue](https://github.com/kjur/jsrsasign/issues/598) - [Vulnerability Report](https://people.redhat.com/~hkario/marvin/)

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L/E:P

Affected Products

Vendor	Product	Versions
		0

Timeline

Nov 21, 2023 CVE Updated
Jan 21, 2024 CVE Published

References

https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731 advisory
https://www.npmjs.com/package/jsrsasign vendor
https://github.com/kjur/jsrsasign/releases/tag/11.0.0 vendor
https://github.com/kjur/jsrsasign/issues/598 issue
https://people.redhat.com/~hkario/marvin/ technical

Open in Interactive Console →