org.webjars.bowergithub.kjur:jsrsasign@8.0.12 vulnerabilities

  • latest version

    9.1.9

  • first published

    7 years ago

  • latest version published

    4 years ago

  • licenses detected

  • package manager

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.bowergithub.kjur:jsrsasign package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Observable Discrepancy

org.webjars.bowergithub.kjur:jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Observable Discrepancy via the RSA PKCS#1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.

How to fix Observable Discrepancy?

There is no fixed version for org.webjars.bowergithub.kjur:jsrsasign.

[0,)
  • H
Improper Verification of Cryptographic Signature

org.webjars.bowergithub.kjur:jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake.

How to fix Improper Verification of Cryptographic Signature?

A fix was pushed into the master branch but not yet published.

[0,)
  • M
Cryptographic Weakness

org.webjars.bowergithub.kjur:jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Cryptographic Weakness. Invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid.

How to fix Cryptographic Weakness?

There is no fixed version for org.webjars.bowergithub.kjur:jsrsasign.

[0,)
  • M
Memory Corruption

org.webjars.bowergithub.kjur:jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Memory Corruption. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts (it decrypts modified ciphertexts without error). An attacker might prepend these bytes with the goal of triggering memory corruption issues.

How to fix Memory Corruption?

There is no fixed version for org.webjars.bowergithub.kjur:jsrsasign.

[0,)
  • M
Remote Code Execution (RCE)

org.webjars.bowergithub.kjur:jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature (it accepts these modified signatures as valid). An attacker can abuse this behavior in an application by creating multiple valid signatures where only one signature should exist. Also, an attacker might prepend these bytes with the goal of triggering memory corruption issues.

How to fix Remote Code Execution (RCE)?

There is no fixed version for org.webjars.bowergithub.kjur:jsrsasign.

[0,)
  • L
Signature Bypass

org.webjars.bowergithub.kjur:jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Signature Bypass. It allows a malleability in ECDSA signatures by not checking overflows in the length of a sequence and '0' characters appended or prepended to an integer. The modified signatures are verified as valid. This could have a security-relevant impact if an application relied on a single canonical signature.

How to fix Signature Bypass?

There is no fixed version for org.webjars.bowergithub.kjur:jsrsasign.

[0,)
  • M
Timing Attack

org.webjars.bowergithub.kjur:jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Timing Attack. Practical recovery of the long-term private key generated by the library is possible under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which might allow practical recovery of the long-term private key.

How to fix Timing Attack?

There is no fixed version for org.webjars.bowergithub.kjur:jsrsasign.

[0,)