CVE-2020-14967
Summary
| CVE | CVE-2020-14967 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2020-06-22 12:15:00 UTC |
|---|
| Updated | 2023-01-28 00:57:00 UTC |
|---|
| Description | An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts (it decrypts modified ciphertexts without error). An attacker might prepend these bytes with the goal of triggering memory corruption issues. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| June 2020 Node.js Vulnerabilities in NetApp Products | NetApp Product Security |
CONFIRM |
security.netapp.com |
|
| Release RSA decryption and RSA signature validation maleability fix · kjur/jsrsasign · GitHub |
MISC |
github.com |
Release Notes, Third Party Advisory |
| The RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification (prepended 0's bytes to the ciphertext) · Issue #439 · kjur/jsrsasign · GitHub |
MISC |
github.com |
Exploit, Third Party Advisory |
| Release RSAPSS verification maleability fix and others · kjur/jsrsasign · GitHub |
MISC |
github.com |
Release Notes, Third Party Advisory |
| jsrsasign |
MISC |
www.npmjs.com |
Product, Third Party Advisory |
| jsrsasign - cryptography library in JavaScript |
MISC |
kjur.github.io |
Release Notes, Third Party Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 980500 Nodejs (npm) Security Update for jsrsasign (GHSA-xxxq-chmp-67g4)
