CVE-2020-14968: Buffer Overflow
First published: Mon Jun 22 2020(Updated: )
An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature (it accepts these modified signatures as valid). An attacker can abuse this behavior in an application by creating multiple valid signatures where only one signature should exist. Also, an attacker might prepend these bytes with the goal of triggering memory corruption issues.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jsrsasign Project Jsrsasign | <8.0.17 | |
| Netapp Max Data |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-14968?
CVE-2020-14968 is a vulnerability in the jsrsasign package before version 8.0.17 for Node.js, which allows an attacker to manipulate RSA-PSS signatures.
How does CVE-2020-14968 affect software?
This vulnerability affects the jsrsasign package before version 8.0.17 for Node.js and Netapp Max Data.
What is the severity of CVE-2020-14968?
The severity of CVE-2020-14968 is critical with a CVSS score of 9.8.
How can an attacker exploit CVE-2020-14968?
An attacker can exploit this vulnerability by manipulating RSA-PSS signatures by prepending '\0' bytes to a signature.
How can CVE-2020-14968 be fixed?
To fix CVE-2020-14968, update to jsrsasign version 8.0.17 or later.
- collector/nvd-index
- agent/type
- agent/author
- agent/severity
- agent/weakness
- agent/references
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- vendor/jsrsasign project
- canonical/jsrsasign project jsrsasign
- vendor/netapp
- canonical/netapp max data