CVE-2020-14967
RSA PKCS#1 decryption vulnerability with prepending zeros in jsrsasign
Description
### Impact Jsrsasign supports RSA PKCS#1 v1.5 (i.e. RSAES-PKCS1-v1_5) and RSA-OAEP encryption and decryption. Its encrypted message is represented as BigInteger. When there is a valid encrypted message, a crafted message with prepending zeros can be decrypted by this vulnerability. - If you don't use RSA PKCS1-v1_5 or RSA-OAEP decryption, this vulnerability is not affected. - Risk to forge contents of encrypted message is very low. - Risk to raise memory corruption is low since jsrsasign uses BigInteger class. ### Patches Users using RSA PKCS1-v1_5 or RSA-OAEP decryption should upgrade to 8.0.18. ### Workarounds Reject RSA PKCS1-v1_5 or RSA-OAEP encrypted message with unnecessary prepending zeros. ### References https://nvd.nist.gov/vuln/detail/CVE-2020-14967 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14967 https://vuldb.com/?id.157124 https://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.Cipher.html#.decrypt https://github.com/kjur/jsrsasign/issues/439
How to fix CVE-2020-14967
To remediate CVE-2020-14967, upgrade the affected package to a fixed version below.
- —upgrade to 8.0.18 or later
Is CVE-2020-14967 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 8.0.18
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |