CVE-2020-14968

Name of the Vulnerable Software and Affected Versions jsrsasign versions prior to 8.0.17

Description The issue concerns the RSASSA-PSS (RSA-PSS) implementation in the jsrsasign package, which fails to detect signature manipulation by prepending '0' bytes to a signature, accepting these modified signatures as valid. This behavior can be exploited by an attacker to create multiple valid signatures where only one should exist, or to trigger potential memory corruption issues by prepending these bytes.

Recommendations For versions prior to 8.0.17, update to version 8.0.17 or later to resolve the issue. As a temporary workaround, consider validating signatures to detect and prevent the prepending of '0' bytes.