Description
In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. NOTE: there is no known practical attack.
Recommendation
Update the jsrsasign package to the latest compatible version. Followings are version details:
- Affected version(s): < 10.2.0
- Patched version(s): 10.2.0
References
Related Issues
- RSA signature validation vulnerability on maleable encoded message in jsrsasign - CVE-2021-30246
- RSA PKCS#1 decryption vulnerability with prepending zeros in jsrsasign - CVE-2020-14967
- RSA-PSS signature validation vulnerability by prepending zeros in jsrsasign - CVE-2020-14968
- JWS and JWT signature validation vulnerability with special characters - CVE-2022-25898
- Tags:
- npm
- jsrsasign
Anything's wrong? Let us know Last updated on January 09, 2023