CVE-2024-21484
Summary
| CVE | CVE-2024-21484 |
|---|---|
| State | PUBLISHED |
| Assigner | snyk |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2024-01-22 05:15:08 UTC |
| Updated | 2026-06-22 03:18:31 UTC |
| Description | Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library. |
Risk And Classification
Primary CVSS: v3.1 5.9 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS: 0.009600000 probability, percentile 0.569100000 (date 2026-06-24)
Problem Types: CWE-203 | CWE-203 Observable Discrepancy
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L/E:P |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Na | Jsrsasign | affected 11.0.0 semver | Not specified |
| CNA | Na | Org.webjars.npmjsrsasign | affected * semver | Not specified |
| CNA | Na | Org.webjars.bowergithub.kjurjsrsasign | affected * semver | Not specified |
| CNA | Na | Org.webjars.bowerjsrsasign | affected * semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Observable Discrepancy in org.webjars.bower:jsrsasign | CVE-2024-21484 | Snyk | af854a3a-2127-422b-91ae-364da2661108 | security.snyk.io | Patch, Third Party Advisory |
| people.redhat.com/~hkario/marvin | af854a3a-2127-422b-91ae-364da2661108 | people.redhat.com | |
| Observable Discrepancy in org.webjars.npm:jsrsasign | CVE-2024-21484 | Snyk | af854a3a-2127-422b-91ae-364da2661108 | security.snyk.io | Patch, Third Party Advisory |
| Observable Discrepancy in jsrsasign | CVE-2024-21484 | Snyk | af854a3a-2127-422b-91ae-364da2661108 | security.snyk.io | Patch, Third Party Advisory |
| jsrsasign vulnerable to the Marvin Attack · Issue #598 · kjur/jsrsasign · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Exploit, Issue Tracking, Vendor Advisory |
| Observable Discrepancy in org.webjars.bowergithub.kjur:jsrsasign | CVE-2024-21484 | Snyk | af854a3a-2127-422b-91ae-364da2661108 | security.snyk.io | Patch, Third Party Advisory |
| Release remove RSA and RSAOAEP encryption for Marvin attack · kjur/jsrsasign · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Patch, Release Notes |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Hubert Kario (en)
There are currently no legacy QID mappings associated with this CVE.