Login Sign Up

CVE-2020-14967

9.8 CRITICAL

📋 TL;DR

This vulnerability in jsrsasign allows attackers to modify RSA PKCS1 v1.5 ciphertexts by prepending null bytes, potentially leading to memory corruption. It affects Node.js applications using vulnerable versions of the jsrsasign package. The high CVSS score indicates critical risk for confidentiality, integrity, and availability.

💻 Affected Systems

Products:
  • jsrsasign
Versions: All versions before 8.0.18
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using RSA PKCS1 v1.5 decryption functionality from jsrsasign.

📦 What is this software?

Jsrsasign by Jsrsasign Project

View all CVEs affecting Jsrsasign →

Max Data by Netapp

View all CVEs affecting Max Data →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory corruption leading to remote code execution, complete system compromise, or data exfiltration.

🟠

Likely Case

Denial of service through application crashes or potential information disclosure via memory corruption.

🟢

If Mitigated

Limited impact if proper input validation and memory protections are in place, though cryptographic integrity is still compromised.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the attacker to have ciphertexts to modify, but the modification technique is simple.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.18

Vendor Advisory: https://github.com/kjur/jsrsasign/releases/tag/8.0.18

Restart Required: Yes

Instructions:

1. Update jsrsasign to version 8.0.18 or later using npm: npm update jsrsasign
2. Restart your Node.js application
3. Verify the update with: npm list jsrsasign

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation to reject ciphertexts with leading null bytes before decryption.

// JavaScript example: if (ciphertext.startsWith('\0')) throw new Error('Invalid ciphertext');

🧯 If You Can't Patch

  • Disable RSA PKCS1 v1.5 decryption in affected applications if possible.
  • Implement network segmentation to isolate vulnerable systems from untrusted networks.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list jsrsasign | grep jsrsasign

Check Version:

npm list jsrsasign

Verify Fix Applied:

Confirm installed version is 8.0.18 or higher: npm list jsrsasign

📡 Detection & Monitoring

Log Indicators:

  • Application crashes, unexpected memory errors, or decryption failures in logs

Network Indicators:

  • Unusual patterns of encrypted traffic with modified ciphertexts

SIEM Query:

source="application_logs" AND ("jsrsasign" OR "RSA decryption error")

📊 Metadata

CVE ID: CVE-2020-14967
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: June 22, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14967, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)