Description
An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts (it decrypts modified ciphertexts without error). An attacker might prepend these bytes with the goal of triggering memory corruption issues.
References (6)
Core 6
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://kjur.github.io/jsrsasign/
Product, Third Party Advisory x_refsource_misc
https://www.npmjs.com/package/jsrsasign
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/kjur/jsrsasign/releases/tag/8.0.18
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/kjur/jsrsasign/releases/tag/8.0.17
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/kjur/jsrsasign/issues/439
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200724-0001/
Scores
CVSS v3
9.8
EPSS
0.0034
EPSS Percentile
56.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-119
Status
published
Products (3)
jsrsasign_project/jsrsasign
< 8.0.18
netapp/max_data
npm/jsrsasign
0 - 8.0.18npm
Published
Jun 22, 2020
Tracked Since
Feb 18, 2026