Find, fix and prevent vulnerabilities in your code.
critical severity
new
- Vulnerable module: jsrsasign
- Introduced through: jsrsasign@10.9.0
Detailed paths
-
Introduced through: @datebe/destroyclaim-js@datebe/destroyclaims#9a8a6e5e432312175cc439f333c45620924400fc › jsrsasign@10.9.0Remediation: Upgrade to jsrsasign@11.1.1.
Overview
jsrsasign is a free pure JavaScript cryptographic library.
Affected versions of this package are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature without retrying, and then solves for x from the resulting signature.
Remediation
Upgrade jsrsasign to version 11.1.1 or higher.
References
critical severity
new
- Vulnerable module: jsrsasign
- Introduced through: jsrsasign@10.9.0
Detailed paths
-
Introduced through: @datebe/destroyclaim-js@datebe/destroyclaims#9a8a6e5e432312175cc439f333c45620924400fc › jsrsasign@10.9.0Remediation: Upgrade to jsrsasign@11.1.1.
Overview
jsrsasign is a free pure JavaScript cryptographic library.
Affected versions of this package are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the private key by exploiting the incorrect compareTo checks that accept out-of-range candidates and thus bias DSA nonces during signature generation.
Remediation
Upgrade jsrsasign to version 11.1.1 or higher.
References
critical severity
new
- Vulnerable module: jsrsasign
- Introduced through: jsrsasign@10.9.0
Detailed paths
-
Introduced through: @datebe/destroyclaim-js@datebe/destroyclaims#9a8a6e5e432312175cc439f333c45620924400fc › jsrsasign@10.9.0Remediation: Upgrade to jsrsasign@11.1.1.
Overview
jsrsasign is a free pure JavaScript cryptographic library.
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.
Remediation
Upgrade jsrsasign to version 11.1.1 or higher.
References
high severity
new
- Vulnerable module: jsrsasign
- Introduced through: jsrsasign@10.9.0
Detailed paths
-
Introduced through: @datebe/destroyclaim-js@datebe/destroyclaims#9a8a6e5e432312175cc439f333c45620924400fc › jsrsasign@10.9.0Remediation: Upgrade to jsrsasign@11.1.1.
Overview
jsrsasign is a free pure JavaScript cryptographic library.
Affected versions of this package are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.
Remediation
Upgrade jsrsasign to version 11.1.1 or higher.
References
high severity
new
- Vulnerable module: jsrsasign
- Introduced through: jsrsasign@10.9.0
Detailed paths
-
Introduced through: @datebe/destroyclaim-js@datebe/destroyclaims#9a8a6e5e432312175cc439f333c45620924400fc › jsrsasign@10.9.0Remediation: Upgrade to jsrsasign@11.1.1.
Overview
jsrsasign is a free pure JavaScript cryptographic library.
Affected versions of this package are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values (e.g., modInverse(0, m) or modInverse(-1, m)).
Remediation
Upgrade jsrsasign to version 11.1.1 or higher.
References
high severity
- Vulnerable module: jsrsasign
- Introduced through: jsrsasign@10.9.0
Detailed paths
-
Introduced through: @datebe/destroyclaim-js@datebe/destroyclaims#9a8a6e5e432312175cc439f333c45620924400fc › jsrsasign@10.9.0Remediation: Upgrade to jsrsasign@11.0.0.
Overview
jsrsasign is a free pure JavaScript cryptographic library.
Affected versions of this package are vulnerable to Observable Discrepancy via the RSA PKCS#1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.
Workaround
The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
Remediation
Upgrade jsrsasign to version 11.0.0 or higher.
References
medium severity
- Vulnerable module: inflight
- Introduced through: secure-rm@4.2.0
Detailed paths
-
Introduced through: @datebe/destroyclaim-js@datebe/destroyclaims#9a8a6e5e432312175cc439f333c45620924400fc › secure-rm@4.2.0 › rimraf@3.0.2 › glob@7.2.3 › inflight@1.0.6
Overview
Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres function due to improperly deleting keys from the reqs object after execution of callbacks. This behavior causes the keys to remain in the reqs object, which leads to resource exhaustion.
Exploiting this vulnerability results in crashing the node process or in the application crash.
Note: This library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.
To trigger the memory leak, an attacker would need to have the ability to execute or influence the asynchronous operations that use the inflight module within the application. This typically requires access to the internal workings of the server or application, which is not commonly exposed to remote users. Therefore, “Attack vector” is marked as “Local”.
PoC
const inflight = require('inflight');
function testInflight() {
let i = 0;
function scheduleNext() {
let key = `key-${i++}`;
const callback = () => {
};
for (let j = 0; j < 1000000; j++) {
inflight(key, callback);
}
setImmediate(scheduleNext);
}
if (i % 100 === 0) {
console.log(process.memoryUsage());
}
scheduleNext();
}
testInflight();
Remediation
There is no fixed version for inflight.
References
medium severity
new
- Vulnerable module: jsrsasign
- Introduced through: jsrsasign@10.9.0
Detailed paths
-
Introduced through: @datebe/destroyclaim-js@datebe/destroyclaims#9a8a6e5e432312175cc439f333c45620924400fc › jsrsasign@10.9.0Remediation: Upgrade to jsrsasign@11.1.1.
Overview
jsrsasign is a free pure JavaScript cryptographic library.
Affected versions of this package are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero.
Remediation
Upgrade jsrsasign to version 11.1.1 or higher.