Описание
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.
Workaround
The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
Ссылки
- ExploitIssue TrackingVendor Advisory
- PatchRelease Notes
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- ExploitIssue TrackingVendor Advisory
- PatchRelease Notes
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
Уязвимые конфигурации
EPSS
7.5 High
CVSS3
5.9 Medium
CVSS3
Дефекты
Связанные уязвимости
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
Marvin Attack of RSA and RSAOAEP decryption in jsrsasign
Уязвимость реализации стандарта PKCS#1 v1.5 криптографической библиотеки jsrsasign, позволяющая нарушителю реализовать атаку Блейхенбахера (Bleichenbacher) или атаку Марвина (Marvin)
EPSS
7.5 High
CVSS3
5.9 Medium
CVSS3