High severityNVD Advisory· Published Jan 22, 2024· Updated Oct 21, 2024
CVE-2024-21484
CVE-2024-21484
Description
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jsrsasignnpm | < 11.0.0 | 11.0.0 |
Affected products
2- jsrsasign/jsrsasigndescription
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-rh63-9qcf-83gfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21484ghsaADVISORY
- github.com/kjur/jsrsasign/issues/598ghsaWEB
- github.com/kjur/jsrsasign/releases/tag/11.0.0ghsaWEB
- github.com/kjur/jsrsasign/security/advisories/GHSA-rh63-9qcf-83gfghsaWEB
- people.redhat.com/~hkario/marvinghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732ghsaWEB
- security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731ghsaWEB
- people.redhat.com/~hkario/marvin/mitre
News mentions
0No linked articles in our index yet.