{ "id": "CVE-2020-14966", "sourceIdentifier": "cve@mitre.org", "published": "2020-06-22T12:15:10.087", "lastModified": "2023-01-28T00:57:26.257", "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. It allows a malleability in ECDSA signatures by not checking overflows in the length of a sequence and '0' characters appended or prepended to an integer. The modified signatures are verified as valid. This could have a security-relevant impact if an application relied on a single canonical signature." }, { "lang": "es", "value": "Se detect\u00f3 un problema en el paquete jsrsasign por medio de 8.0.18 para Node.js. Permite una maleabilidad en las firmas ECDSA al no comprobar los desbordamientos en la longitud de una secuencia y los caracteres \"0\" agregados o antepuestos a un entero. Las firmas modificadas son verificadas como v\u00e1lidas. Esto podr\u00eda tener un impacto relevante para la seguridad si una aplicaci\u00f3n se basara en una sola firma can\u00f3nica" } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH" }, "exploitabilityScore": 3.9, "impactScore": 3.6 } ], "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 5.0 }, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-347" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:*", "versionEndIncluding": "8.0.18", "matchCriteriaId": "435B4E0A-10B0-41B8-B6DA-454D375C127D" } ] } ] }, { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:*", "matchCriteriaId": "FD1FCB0D-3E19-4461-9330-4D7F02972A35" } ] } ] } ], "references": [ { "url": "https://github.com/kjur/jsrsasign/issues/437", "source": "cve@mitre.org", "tags": [ "Exploit", "Issue Tracking", "Third Party Advisory" ] }, { "url": "https://github.com/kjur/jsrsasign/releases/tag/8.0.17", "source": "cve@mitre.org", "tags": [ "Release Notes", "Third Party Advisory" ] }, { "url": "https://github.com/kjur/jsrsasign/releases/tag/8.0.18", "source": "cve@mitre.org", "tags": [ "Release Notes", "Third Party Advisory" ] }, { "url": "https://kjur.github.io/jsrsasign/", "source": "cve@mitre.org", "tags": [ "Release Notes", "Third Party Advisory" ] }, { "url": "https://security.netapp.com/advisory/ntap-20200724-0001/", "source": "cve@mitre.org", "tags": [ "Third Party Advisory" ] }, { "url": "https://www.npmjs.com/package/jsrsasign", "source": "cve@mitre.org", "tags": [ "Product", "Third Party Advisory" ] } ] }