logo

Database

User enumeration In jsrsasign

Description

Marvin Attack of RSA and RSAOAEP decryption in jsrsasign

Impact

RSA PKCS#1.5 or RSAOAEP ciphertexts may be decrypted by this Marvin attack vulnerability.

Patches

update to jsrsasign 11.0.0.

Workarounds

Find and replace RSA and RSAOAEP decryption with other crypto library.

References

https://people.redhat.com/~hkario/marvin/ https://github.com/kjur/jsrsasign/issues/598 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21484

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-214842. NVD-2024-214843. OSV-2024-214844. GHSA-rh63-9qcf-83gf5. GCVE-2024-21484

References

1. https://github.com/kjur/jsrsasign/security/advisories/GHSA-rh63-9qcf-83gf2. https://github.com/kjur/jsrsasign/issues/5983. https://github.com/kjur/jsrsasign/releases/tag/11.0.04. https://people.redhat.com/~hkario/marvin

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.