GCVE - cpe:2.3:a:n/a:jsrsasign:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:n/a:jsrsasign:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	N/A (`22f567d3-1203-528c-8f0e-3eb9c2f6ca78`)
Product	Jsrsasign (`9cf2ed9b-4a98-58c2-b0a8-b12350cb0fd0`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-4603`	vulnerable	2026-06-08 08:05:13.577412	Details available MEDIUM (5.9) Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero. Published: 2026-03-23T05:00:14.060Z Updated: 2026-03-23T14:42:16.345Z Open on db.gcve.eu Reference links https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371176 https://gist.github.com/Kr0emer/5366b7364c4fbf7e754bc377f321e9f3 https://github.com/kjur/jsrsasign/commit/dc41d49fac4297e7a737a3ef8ebd0aa9c49ef93f https://github.com/kjur/jsrsasign/pull/649	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-4602`	vulnerable	2026-06-08 08:05:13.576967	Details available HIGH (7.5) Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent. Published: 2026-03-23T05:00:10.567Z Updated: 2026-06-30T03:16:31.075Z Open on db.gcve.eu Reference links https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371175 https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15812274 https://gist.github.com/Kr0emer/7ecd2be7d17419e4677315ef3758faf5 https://github.com/kjur/jsrsasign/pull/650 https://github.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-4601`	vulnerable	2026-06-08 08:05:13.576680	Details available HIGH (8.7) Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature without retrying, and then solves for x from the resulting signature. Published: 2026-03-23T05:00:13.312Z Updated: 2026-06-30T03:16:32.809Z Open on db.gcve.eu Reference links https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370941 https://gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad1dad586 https://github.com/kjur/jsrsasign/pull/645 https://github.com/kjur/jsrsasign/commit/0710e392ec35de697ce11e4219c988ba2b5fe0eb	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-4600`	vulnerable	2026-06-08 08:05:13.576349	Details available HIGH (7.4) Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash. Published: 2026-03-23T05:00:08.475Z Updated: 2026-06-30T03:18:57.163Z Open on db.gcve.eu Reference links https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370940 https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15812268 https://gist.github.com/Kr0emer/bf15ddc097176e951659a24a8e9002a7 https://github.com/kjur/jsrsasign/pull/646 https://github.com/kjur/jsrsasign/commit/37b4c06b145c7bfd6bc2a6df5d0a12c56b15ef60	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-4599`	vulnerable	2026-06-08 08:05:13.575931	Details available CRITICAL (9.1) Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the private key by exploiting the incorrect compareTo checks that accept out-of-range candidates and thus bias DSA nonces during signature generation. Published: 2026-03-23T05:00:12.522Z Updated: 2026-06-30T03:18:57.456Z Open on db.gcve.eu Reference links https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370939 https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-15812264 https://gist.github.com/Kr0emer/081681818b51605c91945126d74b4f20 https://github.com/kjur/jsrsasign/pull/647 https://github.com/kjur/jsrsasign/commit/ee4b013478366cb16cea9a4bdfb218b6077f83b1	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-4598`	vulnerable	2026-06-08 08:05:13.574097	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-21484`	vulnerable	2026-06-08 06:27:35.406451	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-25898`	vulnerable	2026-06-08 05:41:49.650284	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.