CVE-2020-14967
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts (it decrypts modified ciphertexts without error). An attacker might prepend these bytes with the goal of triggering memory corruption issues.
Se detectó un problema en el paquete jsrsasign versiones anteriores a 8.0.18 para Node.js. La implementación de descifrado RSA PKCS1 versión v1.5 no detecta la modificación del texto cifrado anteponiendo bytes "\0" a textos cifrados (descifra los textos cifrados modificados sin error). Un atacante podría anteponer estos bytes con el objetivo de desencadenar problemas de corrupción de la memoria
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-06-22 CVE Reserved
- 2020-06-22 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-10-16 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://github.com/kjur/jsrsasign/releases/tag/8.0.17 | Release Notes | |
| https://github.com/kjur/jsrsasign/releases/tag/8.0.18 | Release Notes | |
| https://kjur.github.io/jsrsasign | Release Notes | |
| https://security.netapp.com/advisory/ntap-20200724-0001 | Third Party Advisory |
|
| https://www.npmjs.com/package/jsrsasign | Product |
| URL | Date | SRC |
|---|---|---|
| https://github.com/kjur/jsrsasign/issues/439 | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Jsrsasign Project Search vendor "Jsrsasign Project" | Jsrsasign Search vendor "Jsrsasign Project" for product "Jsrsasign" | < 8.0.18 Search vendor "Jsrsasign Project" for product "Jsrsasign" and version " < 8.0.18" | node.js |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Max Data Search vendor "Netapp" for product "Max Data" | - | - |
Affected
| ||||||