GMS-2024-46: Marvin Attack of RSA and RSAOAEP decryption in jsrsasign

January 19, 2024

Impact

RSA PKCS#1.5 or RSAOAEP ciphertexts may be decrypted by this Marvin attack vulnerability.

Patches

update to jsrsasign 11.0.0.

Workarounds

Find and replace RSA and RSAOAEP decryption with other crypto library.

References

https://people.redhat.com/~hkario/marvin/ https://github.com/kjur/jsrsasign/issues/598

References

github.com/advisories/GHSA-rh63-9qcf-83gf
github.com/kjur/jsrsasign/issues/598
github.com/kjur/jsrsasign/releases/tag/11.0.0
github.com/kjur/jsrsasign/security/advisories/GHSA-rh63-9qcf-83gf

Detect and mitigate GMS-2024-46 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →