Observable Discrepancy Affecting jsrsasign package, versions <11.0.0
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.08% (37th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-JSRSASIGN-6070731
- published 21 Jan 2024
- disclosed 21 Nov 2023
- credit Hubert Kario
Introduced: 21 Nov 2023
CVE-2024-21484 Open this link in a new tabHow to fix?
Upgrade jsrsasign
to version 11.0.0 or higher.
Overview
jsrsasign is a free pure JavaScript cryptographic library.
Affected versions of this package are vulnerable to Observable Discrepancy via the RSA PKCS#1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.
Workaround
The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
References
CVSS Scores
version 3.1