Skip to content

Commit e0ca39d

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-8g7p-jf3g-gxcp GHSA-w8q8-93cx-6h7r
1 parent dbf1a31 commit e0ca39d

File tree

2 files changed

+61
-11
lines changed

2 files changed

+61
-11
lines changed

advisories/unreviewed/2026/03/GHSA-8g7p-jf3g-gxcp/GHSA-8g7p-jf3g-gxcp.json renamed to advisories/github-reviewed/2026/03/GHSA-8g7p-jf3g-gxcp/GHSA-8g7p-jf3g-gxcp.json

Lines changed: 30 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-8g7p-jf3g-gxcp",
4-
"modified": "2026-03-23T06:30:29Z",
4+
"modified": "2026-03-29T15:51:28Z",
55
"published": "2026-03-23T06:30:29Z",
66
"aliases": [
77
"CVE-2026-4598"
88
],
9+
"summary": "jsrsasign is vulnerable to DoS through Infinite Loop when processing zero or negative inputs",
910
"details": "Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values (e.g., modInverse(0, m) or modInverse(-1, m)).",
1011
"severity": [
1112
{
@@ -14,10 +15,30 @@
1415
},
1516
{
1617
"type": "CVSS_V4",
17-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "npm",
25+
"name": "jsrsasign"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "0"
33+
},
34+
{
35+
"fixed": "11.1.1"
36+
}
37+
]
38+
}
39+
]
1840
}
1941
],
20-
"affected": [],
2142
"references": [
2243
{
2344
"type": "ADVISORY",
@@ -35,6 +56,10 @@
3556
"type": "WEB",
3657
"url": "https://gist.github.com/Kr0emer/a1bf5cd4547cc630d2dcc5e761de8264"
3758
},
59+
{
60+
"type": "PACKAGE",
61+
"url": "https://github.com/kjur/jsrsasign"
62+
},
3863
{
3964
"type": "WEB",
4065
"url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370938"
@@ -45,8 +70,8 @@
4570
"CWE-835"
4671
],
4772
"severity": "HIGH",
48-
"github_reviewed": false,
49-
"github_reviewed_at": null,
73+
"github_reviewed": true,
74+
"github_reviewed_at": "2026-03-29T15:51:28Z",
5075
"nvd_published_at": "2026-03-23T06:16:21Z"
5176
}
5277
}

advisories/unreviewed/2026/03/GHSA-w8q8-93cx-6h7r/GHSA-w8q8-93cx-6h7r.json renamed to advisories/github-reviewed/2026/03/GHSA-w8q8-93cx-6h7r/GHSA-w8q8-93cx-6h7r.json

Lines changed: 31 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-w8q8-93cx-6h7r",
4-
"modified": "2026-03-23T06:30:29Z",
4+
"modified": "2026-03-29T15:51:59Z",
55
"published": "2026-03-23T06:30:29Z",
66
"aliases": [
77
"CVE-2026-4601"
88
],
9+
"summary": "jsrsasign: Missing cryptographic validation during DSA signing enables private key extraction",
910
"details": "Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature without retrying, and then solves for x from the resulting signature.",
1011
"severity": [
1112
{
@@ -14,10 +15,30 @@
1415
},
1516
{
1617
"type": "CVSS_V4",
17-
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N/E:P"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "npm",
25+
"name": "jsrsasign"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "0"
33+
},
34+
{
35+
"fixed": "11.1.1"
36+
}
37+
]
38+
}
39+
]
1840
}
1941
],
20-
"affected": [],
2142
"references": [
2243
{
2344
"type": "ADVISORY",
@@ -35,6 +56,10 @@
3556
"type": "WEB",
3657
"url": "https://gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad1dad586"
3758
},
59+
{
60+
"type": "PACKAGE",
61+
"url": "https://github.com/kjur/jsrsasign"
62+
},
3863
{
3964
"type": "WEB",
4065
"url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370941"
@@ -44,9 +69,9 @@
4469
"cwe_ids": [
4570
"CWE-325"
4671
],
47-
"severity": "CRITICAL",
48-
"github_reviewed": false,
49-
"github_reviewed_at": null,
72+
"severity": "HIGH",
73+
"github_reviewed": true,
74+
"github_reviewed_at": "2026-03-29T15:51:59Z",
5075
"nvd_published_at": "2026-03-23T06:16:21Z"
5176
}
5277
}

0 commit comments

Comments
 (0)