High severityNVD Advisory· Published Jun 22, 2020· Updated Aug 4, 2024
CVE-2020-14966
CVE-2020-14966
Description
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. It allows a malleability in ECDSA signatures by not checking overflows in the length of a sequence and '0' characters appended or prepended to an integer. The modified signatures are verified as valid. This could have a security-relevant impact if an application relied on a single canonical signature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jsrsasignnpm | >= 4.0.0, < 8.0.19 | 8.0.19 |
Affected products
2- Node.js/jsrsasigndescription
Patches
Vulnerability mechanics
References
16- github.com/advisories/GHSA-p8c3-7rj8-q963ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-14966ghsaADVISORY
- cve.mitre.org/cgi-bin/cvename.cgighsaWEB
- github.com/kjur/jsrsasign/commit/6087412d072a57074d3c4c1b40bdde0460d53a7fghsaWEB
- github.com/kjur/jsrsasign/issues/437ghsax_refsource_MISCWEB
- github.com/kjur/jsrsasign/releases/tag/8.0.17ghsax_refsource_MISCWEB
- github.com/kjur/jsrsasign/releases/tag/8.0.18ghsax_refsource_MISCWEB
- github.com/kjur/jsrsasign/security/advisories/GHSA-p8c3-7rj8-q963ghsaWEB
- kjur.github.io/jsrsasignghsaWEB
- kjur.github.io/jsrsasign/mitrex_refsource_MISC
- kjur.github.io/jsrsasign/api/symbols/ASN1HEX.htmlghsaWEB
- kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.ECDSA.htmlghsaWEB
- security.netapp.com/advisory/ntap-20200724-0001ghsaWEB
- security.netapp.com/advisory/ntap-20200724-0001/mitrex_refsource_CONFIRM
- vuldb.comghsaWEB
- www.npmjs.com/package/jsrsasignghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.