CVE-2024-21484 — HIGH (7.5)

Q: How severe is CVE-2024-21484?

CVE-2024-21484 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-21484?

Check the references section above for vendor advisories and patch information. Affected products include: Jsrsasign Project Jsrsasign.

Vulnerability Description

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Jsrsasign Project	Jsrsasign	< 11.0.0

Related Weaknesses (CWE)

CWE-203

References

https://github.com/kjur/jsrsasign/issues/598ExploitIssue TrackingVendor Advisory
https://github.com/kjur/jsrsasign/releases/tag/11.0.0PatchRelease Notes
https://people.redhat.com/~hkario/marvin/
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734PatchThird Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733PatchThird Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732PatchThird Party Advisory
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731PatchThird Party Advisory
https://github.com/kjur/jsrsasign/issues/598ExploitIssue TrackingVendor Advisory
https://github.com/kjur/jsrsasign/releases/tag/11.0.0PatchRelease Notes
https://people.redhat.com/~hkario/marvin/
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734PatchThird Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733PatchThird Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732PatchThird Party Advisory
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731PatchThird Party Advisory

FAQ

What is CVE-2024-21484?

CVE-2024-21484 is a vulnerability with a CVSS score of 7.5 (HIGH). Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin...

How severe is CVE-2024-21484?

CVE-2024-21484 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-21484?

Check the references section above for vendor advisories and patch information. Affected products include: Jsrsasign Project Jsrsasign.