What is the severity of CVE-2021-30246?

The severity of CVE-2021-30246 is critical with a severity value of 9.1.

What is the impact of CVE-2021-30246?

CVE-2021-30246 allows the acceptance of RSA signatures with improper PKCS#1.5 padding, which can lead to vulnerabilities in the jsrsasign package.

How can I fix CVE-2021-30246?

To fix CVE-2021-30246, update the jsrsasign package to version 10.2.0 or higher.

What is the affected software for CVE-2021-30246?

The affected software for CVE-2021-30246 includes jsrsasign package versions up to and including 10.1.13 for Node.js.

What is the Common Weakness Enumeration (CWE) for CVE-2021-30246?

The Common Weakness Enumeration (CWE) for CVE-2021-30246 is CWE-347.

Vulnerability/
CVE-2021-30246

critical

9.1

CWE

347

7/4/2021

16/4/2021

11/9/2023

CVE-2021-30246

First published: Wed Apr 07 2021(Updated: )

### Impact Vulnerable jsrsasign will accept RSA signature with improper PKCS#1.5 padding. Decoded RSA signature value consists following form: `01(ff...(8 or more ffs)...ff)00[ASN.1 OF DigestInfo]` Its byte length must be the same as RSA key length, however such checking was not sufficient. To make crafted message for practical attack is very hard. ### Patches Users validating RSA signature should upgrade to 10.2.0 or later. ### Workarounds There is no workaround. Not to use RSA signature validation in jsrsasign. ### ACKNOWLEDGEMENT Thanks to Daniel Yahyazadeh @yahyazadeh for reporting and analyzing this vulnerability.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
npm/jsrsasign	<10.2.0	10.2.0
Jsrsasign Project Jsrsasign	<=10.1.13

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2021-30246?
The severity of CVE-2021-30246 is critical with a severity value of 9.1.
What is the impact of CVE-2021-30246?
CVE-2021-30246 allows the acceptance of RSA signatures with improper PKCS#1.5 padding, which can lead to vulnerabilities in the jsrsasign package.
How can I fix CVE-2021-30246?
To fix CVE-2021-30246, update the jsrsasign package to version 10.2.0 or higher.
What is the affected software for CVE-2021-30246?
The affected software for CVE-2021-30246 includes jsrsasign package versions up to and including 10.1.13 for Node.js.
What is the Common Weakness Enumeration (CWE) for CVE-2021-30246?
The Common Weakness Enumeration (CWE) for CVE-2021-30246 is CWE-347.

collector/github-advisory-latest
alias/GHSA-27fj-mc8w-j9wg
alias/CVE-2021-30246
collector/github-advisory
collector/nvd-index
collector/nvd-cve
agent/severity
agent/weakness
agent/author
agent/type
agent/tags
agent/event
agent/references
agent/description
agent/softwarecombine
agent/last-modified-date
agent/first-publish-date
package-manager/npm
vendor/jsrsasign project
canonical/jsrsasign project jsrsasign
version/jsrsasign project jsrsasign/10.1.13

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.