Buffer overflow in Jsrsasign_project Jsrsasign
CVE-2020-14967
An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts (it decrypts modified ciphertexts with…
Vulnerability class: Buffer Overflow
EPSS: 0.026 (83.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Jsrsasign_project Jsrsasign
- Kjur Jsrsasign
- Netapp Max_data
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
References
- cve@mitre.org (Third Party Advisory, x_refsource_MISC, Release Notes)
- cve@mitre.org (Product, Third Party Advisory, x_refsource_MISC)
- cve@mitre.org (Third Party Advisory, x_refsource_MISC, Release Notes)
- cve@mitre.org (Third Party Advisory, x_refsource_MISC, Release Notes)
- cve@mitre.org (Exploit, Third Party Advisory, x_refsource_MISC, Issue Tracking)
- cve@mitre.org (x_refsource_CONFIRM, Third Party Advisory)
Frequently asked questions
- What is CVE-2020-14967?
- CVE-2020-14967 is a critical-severity vulnerability in Jsrsasign_project Jsrsasign, classified under Improper Restriction of Operations within the Bounds of a Memory Buffer. CVSS score: 9.8/10. Published 2020-06-22.
- How severe is CVE-2020-14967?
- Critical severity. CVSS v3 base score is 9.8 out of 10.
- Is CVE-2020-14967 known to be exploited?
- 20 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.