Fluid Attacks Database

Description

Signatures are mistakenly recognized to be valid in jsrsasign In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. NOTE: there is no known practical attack.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	jsrsasign	>=0 <10.2.0	10.2.0

Aliases

1. NVD-2021-302462. GCVE-GHSA-h87q-g2wp-47pj

References

1. https://github.com/kjur/jsrsasign/issues/4782. https://github.com/kjur/jsrsasign/releases/tag/10.1.133. https://github.com/kjur/jsrsasign/releases/tag/10.2.04. https://kjur.github.io/jsrsasign

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.