jsrsasign Package up to 8.0.16 on Node.js RSASSA-PSS memory corruption

entryeditHistoryDiffjsonxmlCTI

A vulnerability, which was classified as critical, was found in jsrsasign Package up to 8.0.16 on Node.js (JavaScript Library). This affects an unknown part of the component RSASSA-PSS Handler. Upgrading to version 8.0.17 eliminates this vulnerability.

Field06/23/2020 09:48 AM06/23/2020 09:53 AM10/26/2020 02:00 PM
namejsrsasign Packagejsrsasign Packagejsrsasign Package
version<=8.0.16<=8.0.16<=8.0.16
platformNode.jsNode.jsNode.js
componentRSASSA-PSS HandlerRSASSA-PSS HandlerRSASSA-PSS Handler
risk222
historic000
cvss2_vuldb_basescore4.04.04.0
cvss2_vuldb_tempscore3.53.53.5
cvss2_vuldb_avNNN
cvss2_vuldb_acHHH
cvss2_vuldb_auNNN
cvss2_vuldb_ciNNN
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss3_meta_basescore7.37.37.3
cvss3_meta_tempscore7.07.07.0
cvss3_vuldb_basescore4.84.84.8
cvss3_vuldb_tempscore4.64.64.6
cvss3_vuldb_avNNN
cvss3_vuldb_acHHH
cvss3_vuldb_prNNN
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cNNN
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
date1592784000 (06/22/2020)1592784000 (06/22/2020)1592784000 (06/22/2020)
price_0day$0-$5k$0-$5k$0-$5k
nameUpgradeUpgradeUpgrade
upgrade_version8.0.178.0.178.0.17
cveCVE-2020-14968CVE-2020-14968CVE-2020-14968
seealso157124 157123157124 157123157124 157123
cvss2_vuldb_eNDNDND
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_rcNDNDND
cvss3_vuldb_eXXX
cvss3_vuldb_rlOOO
cvss3_vuldb_rcXXX
cvss3_nvd_basescore9.89.89.8
typeJavaScript LibraryJavaScript Library
cwe0119 (memory corruption)119 (memory corruption)
cvss2_nvd_avNN
cvss2_nvd_acLL
cvss2_nvd_auNN
cvss2_nvd_ciPP
cvss2_nvd_iiPP
cvss2_nvd_aiPP
cvss3_nvd_avNN
cvss3_nvd_acLL
cvss3_nvd_prNN
cvss3_nvd_uiNN
cvss3_nvd_sUU
cvss3_nvd_cHH
cvss3_nvd_iHH
cvss3_nvd_aHH
cve_assigned15927840001592784000
cve_nvd_summaryAn issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature (it accepts these modified signatures as valid). An attacker can abuse this behavior in an application by creating multiple valid signatures where only one signature should exist. Also, an attacker might prepend these bytes with the goal of triggering memory corruption issues.An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature (it accepts these modified signatures as valid). An attacker can abuse this behavior in an application by creating multiple valid signatures where only one signature should exist. Also, an attacker might prepend these bytes with the goal of triggering memory corruption issues.
confirm_urlhttps://security.netapp.com/advisory/ntap-20200724-0001/

Want to stay up to date on a daily basis?

Enable the mail alert feature now!