CVE-2020-14968

 

Published at: - 22-06-2020 02:15

Last modified: - 27-01-2023 09:52

Total changes: - 2

Description

An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature (it accepts these modified signatures as valid). An attacker can abuse this behavior in an application by creating multiple valid signatures where only one signature should exist. Also, an attacker might prepend these bytes with the goal of triggering memory corruption issues.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

Verification logic

 

Reference

• https://github.com/kjur/jsrsasign/releases/tag/8.0.17
• https://github.com/kjur/jsrsasign/issues/438
• https://github.com/kjur/jsrsasign/releases/tag/8.0.18
• https://www.npmjs.com/package/jsrsasign
• https://kjur.github.io/jsrsasign/
• https://security.netapp.com/advisory/ntap-20200724-0001/

 

Keywords

NVD

 

CVE-2020-14968

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures