CVE-2024-21484

MEDIUM EPSS 57.0%
Published Jan 22, 20242y ago · Modified Jun 22, 20261w ago
5.9 CVSS 3.1
Medium
Find Similar
Published Jan 22, 2024 2y ago
Last Modified Jun 22, 2026 1w ago

Description

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.

CVSS Details

Base Score
5.9
Exploitability
2.2
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
57.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-203

Affected Products 1

VendorProductVersionRange
kjurjsrsasign* <11.0.0

References 7

  • github.com https://github.com/kjur/jsrsasign/issues/598
    ExploitIssue TrackingVendor Advisory
  • github.com https://github.com/kjur/jsrsasign/releases/tag/11.0.0
    PatchRelease Notes
  • people.redhat.com https://people.redhat.com/~hkario/marvin/
  • security.snyk.io https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734
    PatchThird Party Advisory
  • security.snyk.io https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733
    PatchThird Party Advisory
  • security.snyk.io https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732
    PatchThird Party Advisory
  • security.snyk.io https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731
    PatchThird Party Advisory

Remediation

  • github.com https://github.com/kjur/jsrsasign/releases/tag/11.0.0
    PatchRelease Notes
  • security.snyk.io https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734
    PatchThird Party Advisory
  • security.snyk.io https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733
    PatchThird Party Advisory
  • security.snyk.io https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732
    PatchThird Party Advisory
  • security.snyk.io https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731
    PatchThird Party Advisory