CVE-2020-14968
Summary
| CVE | CVE-2020-14968 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-06-22 12:15:10 UTC |
| Updated | 2026-06-22 03:18:31 UTC |
| Description | An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature (it accepts these modified signatures as valid). An attacker can abuse this behavior in an application by creating multiple valid signatures where only one signature should exist. Also, an attacker might prepend these bytes with the goal of triggering memory corruption issues. |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.029300000 probability, percentile 0.852950000 (date 2026-06-24)
Problem Types: CWE-119 | n/a
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:L/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| The RSA-PSS implementation does not detect signature modification (prepending "0" bytes) to the signature · Issue #438 · kjur/jsrsasign · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Exploit, Issue Tracking, Third Party Advisory |
| June 2020 Node.js Vulnerabilities in NetApp Products | NetApp Product Security | af854a3a-2127-422b-91ae-364da2661108 | security.netapp.com | Third Party Advisory |
| jsrsasign - cryptography library in JavaScript | af854a3a-2127-422b-91ae-364da2661108 | kjur.github.io | Release Notes, Third Party Advisory |
| jsrsasign | af854a3a-2127-422b-91ae-364da2661108 | www.npmjs.com | Product, Third Party Advisory |
| Release RSA decryption and RSA signature validation maleability fix · kjur/jsrsasign · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Release Notes, Third Party Advisory |
| Release RSAPSS verification maleability fix and others · kjur/jsrsasign · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Release Notes, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 980504 Nodejs (npm) Security Update for jsrsasign (GHSA-q3gh-5r98-j4h3)