@tadashi/jwt@1.0.4

Vulnerabilities

5 via 5 paths

Dependencies

5

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 4
  • 1
Status
  • 5
  • 0
  • 0

medium severity

Cryptographic Weakness

  • Vulnerable module: jsrsasign
  • Introduced through: jsrsasign@8.0.4

Detailed paths

  • Introduced through: @tadashi/jwt@1.0.4 jsrsasign@8.0.4
    Remediation: Upgrade to @tadashi/jwt@4.0.0.

Overview

jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Cryptographic Weakness. Invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid.

Remediation

Upgrade jsrsasign to version 10.1.13 or higher.

References

medium severity

Memory Corruption

  • Vulnerable module: jsrsasign
  • Introduced through: jsrsasign@8.0.4

Detailed paths

  • Introduced through: @tadashi/jwt@1.0.4 jsrsasign@8.0.4
    Remediation: Upgrade to @tadashi/jwt@4.0.0.

Overview

jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Memory Corruption. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts (it decrypts modified ciphertexts without error). An attacker might prepend these bytes with the goal of triggering memory corruption issues.

Remediation

Upgrade jsrsasign to version 8.0.18 or higher.

References

medium severity

Remote Code Execution (RCE)

  • Vulnerable module: jsrsasign
  • Introduced through: jsrsasign@8.0.4

Detailed paths

  • Introduced through: @tadashi/jwt@1.0.4 jsrsasign@8.0.4
    Remediation: Upgrade to @tadashi/jwt@4.0.0.

Overview

jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature (it accepts these modified signatures as valid). An attacker can abuse this behavior in an application by creating multiple valid signatures where only one signature should exist. Also, an attacker might prepend these bytes with the goal of triggering memory corruption issues.

Remediation

Upgrade jsrsasign to version 8.0.18 or higher.

References

medium severity

Timing Attack

  • Vulnerable module: jsrsasign
  • Introduced through: jsrsasign@8.0.4

Detailed paths

  • Introduced through: @tadashi/jwt@1.0.4 jsrsasign@8.0.4
    Remediation: Upgrade to @tadashi/jwt@4.0.0.

Overview

jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Timing Attack. Practical recovery of the long-term private key generated by the library is possible under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which might allow practical recovery of the long-term private key.

Remediation

Upgrade jsrsasign to version 8.0.13 or higher.

References

low severity

Signature Bypass

  • Vulnerable module: jsrsasign
  • Introduced through: jsrsasign@8.0.4

Detailed paths

  • Introduced through: @tadashi/jwt@1.0.4 jsrsasign@8.0.4
    Remediation: Upgrade to @tadashi/jwt@4.0.0.

Overview

jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Signature Bypass. It allows a malleability in ECDSA signatures by not checking overflows in the length of a sequence and '0' characters appended or prepended to an integer. The modified signatures are verified as valid. This could have a security-relevant impact if an application relied on a single canonical signature.

Remediation

Upgrade jsrsasign to version 8.0.18 or higher.

References