mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
155 lines
6.1 KiB
JSON
155 lines
6.1 KiB
JSON
{
|
|
"data_version": "4.0",
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"CVE_data_meta": {
|
|
"ID": "CVE-2024-21484",
|
|
"ASSIGNER": "report@snyk.io",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.\r\r Workaround \r\rThe vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library."
|
|
}
|
|
]
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Observable Discrepancy",
|
|
"cweId": "CWE-203"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "n/a",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "jsrsasign",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "0",
|
|
"version_value": "11.0.0"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "org.webjars.npm:jsrsasign",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "0",
|
|
"version_value": "*"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "org.webjars.bowergithub.kjur:jsrsasign",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "0",
|
|
"version_value": "*"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "org.webjars.bower:jsrsasign",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "0",
|
|
"version_value": "*"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731",
|
|
"refsource": "MISC",
|
|
"name": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731"
|
|
},
|
|
{
|
|
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732",
|
|
"refsource": "MISC",
|
|
"name": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732"
|
|
},
|
|
{
|
|
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733",
|
|
"refsource": "MISC",
|
|
"name": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733"
|
|
},
|
|
{
|
|
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734",
|
|
"refsource": "MISC",
|
|
"name": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734"
|
|
},
|
|
{
|
|
"url": "https://github.com/kjur/jsrsasign/issues/598",
|
|
"refsource": "MISC",
|
|
"name": "https://github.com/kjur/jsrsasign/issues/598"
|
|
},
|
|
{
|
|
"url": "https://github.com/kjur/jsrsasign/releases/tag/11.0.0",
|
|
"refsource": "MISC",
|
|
"name": "https://github.com/kjur/jsrsasign/releases/tag/11.0.0"
|
|
},
|
|
{
|
|
"url": "https://people.redhat.com/~hkario/marvin/",
|
|
"refsource": "MISC",
|
|
"name": "https://people.redhat.com/~hkario/marvin/"
|
|
}
|
|
]
|
|
},
|
|
"credits": [
|
|
{
|
|
"lang": "en",
|
|
"value": "Hubert Kario"
|
|
}
|
|
],
|
|
"impact": {
|
|
"cvss": [
|
|
{
|
|
"version": "3.1",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "HIGH",
|
|
"privilegesRequired": "NONE",
|
|
"userInteraction": "NONE",
|
|
"scope": "CHANGED",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "NONE",
|
|
"availabilityImpact": "LOW",
|
|
"baseScore": 7.5,
|
|
"baseSeverity": "HIGH",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L/E:P"
|
|
}
|
|
]
|
|
}
|
|
} |