Description
In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. NOTE: there is no known practical attack.
Remediation
References
https://github.com/kjur/jsrsasign/issues/478
https://github.com/kjur/jsrsasign/releases/tag/10.1.13
https://kjur.github.io/jsrsasign/
Related Vulnerabilities
CVE-2022-31191 Vulnerability in maven package org.dspace:dspace-jspui
CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-elasticsearch
CVE-2022-3145 Vulnerability in npm package @okta/oidc-middleware
CVE-2017-16148 Vulnerability in npm package serve46
CVE-2019-18213 Vulnerability in maven package org.lsp4xml:org.eclipse.lsp4xml.extensions.emmet