Name of the Vulnerable Software and Affected Versions jsrsasign versions prior to 8.0.13

Description A side-channel attack, known as Minerva, has been discovered, affecting jsrsasign. This attack allows an attacker to potentially recover the EC private key by observing the execution time of thousands of signature generations. The issue arises because the point and scalar multiplication time depends on the bits of the scalar, which is the EC private key. The attack is a type of timing or side-channel attack for EC. If the ECDSA class is not used, the vulnerability does not affect the user. The vulnerability is exploited by guessing the private key through the processing time of EC key generation or ECDSA signing.

Recommendations For versions prior to 8.0.13, upgrade to 8.0.13 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the ECDSA class until the update is applied. There are no other workarounds available for jsrsasign; updating the library or using an alternative ECDSA library is recommended.