Signatures are mistakenly recognized to be valid in jsrsasign · GHSA-h87q-g2wp-47pj · GitHub Advisory Database · GitHub

Signatures are mistakenly recognized to be valid in jsrsasign

Moderate severity GitHub Reviewed Published Feb 9, 2022 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

jsrsasign (npm)

Affected versions

< 10.2.0

Patched versions

10.2.0

Description

In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. NOTE: there is no known practical attack.

References

Reviewed Apr 8, 2021

Published to the GitHub Advisory Database Feb 9, 2022

Last updated Jan 9, 2023