CVE-2020-14967: Improper Restriction of Operations within the Bounds of a Memory Buffer

June 22, 2020 (updated July 24, 2020)

An issue was discovered in the jsrsasign package for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending \0 bytes to ciphertexts (it decrypts modified ciphertexts without error). An attacker might prepend these bytes with the goal of triggering memory corruption issues.

References

nvd.nist.gov/vuln/detail/CVE-2020-14967

Detect and mitigate CVE-2020-14967 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →