Timing Attack Affecting org.webjars.bower:jsrsasign package, versions [0,]
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGWEBJARSBOWER-561758
- published 31 Mar 2020
- disclosed 3 Oct 2019
- credit Centre for Research on Cryptography and Security
How to fix?
There is no fixed version for org.webjars.bower:jsrsasign
.
Overview
org.webjars.bower:jsrsasign is a free pure JavaScript cryptographic library.
Affected versions of this package are vulnerable to Timing Attack. Practical recovery of the long-term private key generated by the library is possible under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which might allow practical recovery of the long-term private key.
References
CVSS Scores
version 3.1