RSA PKCS#1.5 or RSAOAEP ciphertexts may be decrypted by this Marvin attack vulnerability.
update to jsrsasign 11.0.0.
Find and replace RSA and RSAOAEP decryption with other crypto library.
https://people.redhat.com/~hkario/marvin/
https://github.com/kjur/jsrsasign/issues/598
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21484
| Score | Percentile |
|---|---|
| 0.24% | 46.75% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.5 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-rh63-9qcf-83gf ↗ |
| CVE | CVE-2024-21484 ↗ |
| CWE id | Name |
|---|---|
| CWE-203 | Observable Discrepancy |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | jsrsasign | < 11.0.0 | 11.0.0 | — |