CVE-2024-21484

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.

Las versiones del paquete jsrsasign anteriores a 11.0.0 son vulnerables a la discrepancia observable a través del proceso de descifrado RSA PKCS1.5 o RSAOAEP. Un atacante puede descifrar textos cifrados aprovechando esta vulnerabilidad. Explotar esta vulnerabilidad requiere que el atacante tenga acceso a una gran cantidad de textos cifrados con la misma clave. Workaround esta vulnerabilidad se puede mitigar buscando y reemplazando el descifrado RSA y RSAOAEP con otra librería criptográfica.

*Credits: Hubert Kario

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-12-22 CVE Reserved
2024-01-22 CVE Published
2024-02-28 EPSS Updated
2024-10-21 CVE Updated
2024-10-21 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-203: Observable Discrepancy

CAPEC

References (7)

URL	Tag	Source
https://people.redhat.com/~hkario/marvin

URL	Date	SRC
https://github.com/kjur/jsrsasign/issues/598	2024-10-21

URL	Date	SRC
https://github.com/kjur/jsrsasign/releases/tag/11.0.0	2024-03-06
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734	2024-03-06
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733	2024-03-06
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732	2024-03-06
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731	2024-03-06

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Jsrsasign Project Search vendor "Jsrsasign Project"		Jsrsasign Search vendor "Jsrsasign Project" for product "Jsrsasign"				< 11.0.0 Search vendor "Jsrsasign Project" for product "Jsrsasign" and version " < 11.0.0"		node.js		Affected