CVE-2024-21484

medium

Description

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.

References

Advisories
More

https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-6070731

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6070732

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-6070733

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6070734

https://people.redhat.com/~hkario/marvin/

https://github.com/kjur/jsrsasign/releases/tag/11.0.0

https://github.com/kjur/jsrsasign/issues/598

Details

Source: Mitre, NVD

Published: 2024-01-22

Updated: 2026-06-22

Risk Information

CVSS v2

Base Score: 5.4

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.9

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00448