2259531 – (CVE-2024-21484) CVE-2024-21484 jsrsasign: vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process

Bug 2259531 (CVE-2024-21484) - CVE-2024-21484 jsrsasign: vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process

Summary: CVE-2024-21484 jsrsasign: vulnerable to Observable Discrepancy via the RSA PK...

Keywords:
Status:	NEW
Alias:	CVE-2024-21484
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2259533
TreeView+	depends on / blocked

Reported:	2024-01-22 08:46 UTC by Rohit Keshri
Modified:	2024-04-09 13:00 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2024-01-22 08:46:28 UTC

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting this vulnerability. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.

 Workaround 

This vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.

https://github.com/kjur/jsrsasign/issues/598
https://github.com/kjur/jsrsasign/releases/tag/11.0.0
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731

Note You need to log in before you can comment on or make changes to this bug.