CVE-2024-21484
CVE-2024-21484
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 7.5EPSS 1.0%KEV nãoPoC —Patch —
Ciclo de vida
22 ene 2024Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.
Workaround
The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L/E:P
Productos afectados
n/a · jsrsasignn/a · org.webjars.bowergithub.kjur:jsrsasignn/a · org.webjars.bower:jsrsasignn/a · org.webjars.npm:jsrsasign¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://github.com/kjur/jsrsasign/issues/598https://github.com/kjur/jsrsasign/releases/tag/11.0.0https://people.redhat.com/~hkario/marvin/https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731