CVE-2024-21484

CVSS 7.5 HIGHEPSS 1.0%CWE-203

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 7.5EPSS 1.0%KEV nãoPoC —Patch —

Ciclo de vida

22 de jan. de 2024Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L/E:P

Produtos afetados

n/a · jsrsasign n/a · org.webjars.bowergithub.kjur:jsrsasign n/a · org.webjars.bower:jsrsasign n/a · org.webjars.npm:jsrsasign

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/kjur/jsrsasign/issues/598 https://github.com/kjur/jsrsasign/releases/tag/11.0.0 https://people.redhat.com/~hkario/marvin/https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734 https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733 https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732 https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731