CVE-2024-21484

HIGH

Jsrsasign < 11.0.0 - Information Disclosure

Title source: rule

Description

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.

References (7)

[Exploit, Issue Tracking, Vendor Advisory] https://github.com/kjur/jsrsasign/issues/598

[Patch, Release Notes] https://github.com/kjur/jsrsasign/releases/tag/11.0.0

[Patch, Third Party Advisory] https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734

[Patch, Third Party Advisory] https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733

[Patch, Third Party Advisory] https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732

[Patch, Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731

[Various Sources] https://people.redhat.com/~hkario/marvin/

Scores

CVSS v3 7.5

EPSS 0.0024

EPSS Percentile 47.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-203

Status published

Products (2)

jsrsasign_project/jsrsasign < 11.0.0

npm/jsrsasign 0 - 11.0.0npm

Published Jan 22, 2024

Tracked Since Feb 18, 2026