CVE-2020-14966
First published: Mon Jun 22 2020(Updated: )
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. It allows a malleability in ECDSA signatures by not checking overflows in the length of a sequence and '0' characters appended or prepended to an integer. The modified signatures are verified as valid. This could have a security-relevant impact if an application relied on a single canonical signature.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jsrsasign Project Jsrsasign | <=8.0.18 | |
| Netapp Max Data |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-14966?
CVE-2020-14966 is a vulnerability in the jsrsasign package for Node.js that allows for malleability in ECDSA signatures.
How does CVE-2020-14966 affect the jsrsasign package?
CVE-2020-14966 allows for malleability in ECDSA signatures by not properly checking overflows in the length of a sequence and '0' characters appended or prepended to an integer.
What is the severity of CVE-2020-14966?
CVE-2020-14966 has a severity rating of 7.5 (high).
Which software versions are affected by CVE-2020-14966?
The jsrsasign package versions through 8.0.18 for Node.js are affected by CVE-2020-14966.
How can I fix CVE-2020-14966?
To fix CVE-2020-14966, update the jsrsasign package to version 8.0.19 or later for Node.js.
- collector/nvd-index
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/author
- agent/first-publish-date
- agent/tags
- agent/description
- agent/type
- agent/event
- vendor/jsrsasign project
- canonical/jsrsasign project jsrsasign
- version/jsrsasign project jsrsasign/8.0.18
- vendor/netapp
- canonical/netapp max data