PT-2026-27055 · Jsrsasign · Jsrsasign
Kr0Emer
·
Publicado
2026-03-23
·
Atualizado
2026-03-31
·
CVE-2026-4599
CVSS v4.0
9.3
Crítica
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
jsrsasign versions 7.0.0 through 11.1.1
Description
The jsrsasign package is susceptible to an issue involving incomplete comparison with missing factors within the
getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions located in src/crypto-1.1.js. This flaw allows an attacker to potentially recover the private key by exploiting incorrect compareTo checks. These checks accept out-of-range candidates, which biases DSA nonces during signature generation.Recommendations
Versions 7.0.0 through 11.1.1 are vulnerable and should be updated.
Exploit
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Jsrsasign