PT-2020-14093 · Jsrsasign · Jsrsasign
Published
2020-06-22
·
Updated
2023-01-28
·
CVE-2020-14966
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
jsrsasign versions through 8.0.18
Description
An issue in the jsrsasign package allows malleability in ECDSA signatures. This occurs because the package does not check for overflows in the length of a sequence and '0' characters appended or prepended to an integer, resulting in modified signatures being verified as valid. This could have security implications if an application relies on a single canonical signature.
Recommendations
For versions through 8.0.18, update to a version that fixes this issue to prevent potential security risks.
Exploit
Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jsrsasign