CVE-2021-30246

Опубликовано: 07 апр. 2021

Источник: nvd

CVSS3: 9.1

CVSS2: 6.4

EPSS Низкий

Описание

In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. NOTE: there is no known practical attack.

Ссылки

https://github.com/kjur/jsrsasign/issues/478
Third Party Advisory
https://github.com/kjur/jsrsasign/releases/tag/10.1.13
Release Notes
Third Party Advisory
https://kjur.github.io/jsrsasign/
Release Notes
Third Party Advisory
https://github.com/kjur/jsrsasign/issues/478
Third Party Advisory
https://github.com/kjur/jsrsasign/releases/tag/10.1.13
Release Notes
Third Party Advisory
https://kjur.github.io/jsrsasign/
Release Notes
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:*

Версия до 10.1.13 (включая)

EPSS

Процентиль: 42%

0.002

Низкий

9.1 Critical

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-347

Связанные уязвимости

GHSA-27fj-mc8w-j9wg