Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-21484

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.

Published

2024-01-22T05:15:08.720

Last Modified

2024-11-21T08:54:31.820

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-203
Type: Primary
CWE-203

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	jsrsasign_project	jsrsasign	< 11.0.0	Yes

References

https://github.com/kjur/jsrsasign/issues/598 Exploit, Issue Tracking, Vendor Advisory ([email protected])
https://github.com/kjur/jsrsasign/releases/tag/11.0.0 Patch, Release Notes ([email protected])
https://people.redhat.com/~hkario/marvin/ ([email protected])
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734 Patch, Third Party Advisory ([email protected])
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733 Patch, Third Party Advisory ([email protected])
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732 Patch, Third Party Advisory ([email protected])
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731 Patch, Third Party Advisory ([email protected])
https://github.com/kjur/jsrsasign/issues/598 Exploit, Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/kjur/jsrsasign/releases/tag/11.0.0 Patch, Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://people.redhat.com/~hkario/marvin/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)