CVE-2020-14966
Summary
| CVE | CVE-2020-14966 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2020-06-22 12:15:00 UTC |
|---|
| Updated | 2023-01-28 00:57:00 UTC |
|---|
| Description | An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. It allows a malleability in ECDSA signatures by not checking overflows in the length of a sequence and '0' characters appended or prepended to an integer. The modified signatures are verified as valid. This could have a security-relevant impact if an application relied on a single canonical signature. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| June 2020 Node.js Vulnerabilities in NetApp Products | NetApp Product Security |
CONFIRM |
security.netapp.com |
|
| Release RSA decryption and RSA signature validation maleability fix · kjur/jsrsasign · GitHub |
MISC |
github.com |
Release Notes, Third Party Advisory |
| Lack of encoding checking in jsrsasign allows a certain degree of malleability in ECDSA signatures · Issue #437 · kjur/jsrsasign · GitHub |
MISC |
github.com |
Exploit, Third Party Advisory |
| Release RSAPSS verification maleability fix and others · kjur/jsrsasign · GitHub |
MISC |
github.com |
Release Notes, Third Party Advisory |
| jsrsasign |
MISC |
www.npmjs.com |
Product, Third Party Advisory |
| jsrsasign - cryptography library in JavaScript |
MISC |
kjur.github.io |
Release Notes, Third Party Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 980503 Nodejs (npm) Security Update for jsrsasign (GHSA-p8c3-7rj8-q963)
