CVE-2020-14968
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature (it accepts these modified signatures as valid). An attacker can abuse this behavior in an application by creating multiple valid signatures where only one signature should exist. Also, an attacker might prepend these bytes with the goal of triggering memory corruption issues.
Se detectó un problema en el paquete jsrsasign versiones anteriores a 8.0.17 para Node.js. La implementación de RSASSA-PSS (RSA-PSS) no detecta la manipulación y modificación de firma al anteponer bytes "\0" a una firma (acepta estas firmas modificadas como válidas). Un atacante puede abusar de este comportamiento en una aplicación al crear múltiples firmas válidas donde solo debe existir una firma. Además, un atacante podría anteponer estos bytes con el objetivo de desencadenar problemas de corrupción de la memoria
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-22 CVE Reserved
- 2020-06-22 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-10-16 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
https://github.com/kjur/jsrsasign/releases/tag/8.0.17 | Release Notes | |
https://github.com/kjur/jsrsasign/releases/tag/8.0.18 | Release Notes | |
https://kjur.github.io/jsrsasign | Release Notes | |
https://security.netapp.com/advisory/ntap-20200724-0001 | Third Party Advisory | |
https://www.npmjs.com/package/jsrsasign | Product |
URL | Date | SRC |
---|---|---|
https://github.com/kjur/jsrsasign/issues/438 | 2024-08-04 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Jsrsasign Project Search vendor "Jsrsasign Project" | Jsrsasign Search vendor "Jsrsasign Project" for product "Jsrsasign" | < 8.0.17 Search vendor "Jsrsasign Project" for product "Jsrsasign" and version " < 8.0.17" | node.js |
Affected
| ||||||
Netapp Search vendor "Netapp" | Max Data Search vendor "Netapp" for product "Max Data" | - | - |
Affected
|