jsrsasign Package up to 8.0.16 on Node.js RSASSA-PSS memory corruption

entryeditHistoryDiffjsonxmlCTI

A vulnerability, which was classified as critical, was found in jsrsasign Package up to 8.0.16 on Node.js (JavaScript Library). This affects an unknown part of the component RSASSA-PSS Handler. Upgrading to version 8.0.17 eliminates this vulnerability.

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

User

Field

Commit Conf

Approve Conf

IDCommitedUserFieldChangeRemarksModeratedReasonC
1056159810/26/2020VulD...confirm_urlhttps://security.netapp.com/advisory/ntap-20200724-0001/cve.mitre.org10/26/2020accepted70
1019339706/23/2020VulD...cve_nvd_summaryAn issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature (it accepts these modified signatures as valid). An attacker can abuse this behavior in an application by creating multiple valid signatures where only one signature should exist. Also, an attacker might prepend these bytes with the goal of triggering memory corruption issues.mitre.org06/23/2020accepted100
1019339606/23/2020VulD...cve_assigned1592784000mitre.org06/23/2020accepted100
1019339006/23/2020VulD...cvss3_nvd_aHnist.gov06/23/2020accepted100
1019338906/23/2020VulD...cvss3_nvd_iHnist.gov06/23/2020accepted100
1019338806/23/2020VulD...cvss3_nvd_cHnist.gov06/23/2020accepted100
1019338706/23/2020VulD...cvss3_nvd_sUnist.gov06/23/2020accepted100
1019338606/23/2020VulD...cvss3_nvd_uiNnist.gov06/23/2020accepted100
1019338506/23/2020VulD...cvss3_nvd_prNnist.gov06/23/2020accepted100
1019338406/23/2020VulD...cvss3_nvd_acLnist.gov06/23/2020accepted100
1019338306/23/2020VulD...cvss3_nvd_avNnist.gov06/23/2020accepted100
1019337006/23/2020VulD...cvss2_nvd_aiPnist.gov06/23/2020accepted100
1019336906/23/2020VulD...cvss2_nvd_iiPnist.gov06/23/2020accepted100
1019336806/23/2020VulD...cvss2_nvd_ciPnist.gov06/23/2020accepted100
1019336706/23/2020VulD...cvss2_nvd_auNnist.gov06/23/2020accepted100
1019336606/23/2020VulD...cvss2_nvd_acLnist.gov06/23/2020accepted100
1019336506/23/2020VulD...cvss2_nvd_avNnist.gov06/23/2020accepted100
1019335406/23/2020VulD...cwe119 (memory corruption)06/23/2020accepted100
1019334906/23/2020VulD...typeJavaScript Library06/23/2020accepted100
1019340506/23/2020VulD...cvss3_nvd_basescore9.8nist.gov06/23/2020accepted90

Do you need the next level of professionalism?

Upgrade your account now!