CVE-2022-25898: Improper Verification of Cryptographic Signature

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-25898

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Improper Verification of Cryptographic Signature

Source: NVD (National Vulnerability Database)

Vulnerability Description

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Title

jsrsasign 数据伪造问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

jsrsasign package是日本浦岛贤治个人开发者的一款开源的加密库。 jsrsasign 10.5.25之前版本存在安全漏洞，该漏洞源于当 JWS 或 JWT 签名具有非 Base64URL 编码的特殊字符或数字转义字符可能被错误地验证为有效时，容易受到加密签名的不正确验证。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
-	jsrsasign	unspecified ~ 10.5.25	-

II. Public POCs for CVE-2022-25898

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2022-25898

Please Login to view more intelligence information

https://github.com/kjur/jsrsasign/releases/tag/10.5.25x_refsource_MISC
https://github.com/kjur/jsrsasign/commit/4536a6e9e8bcf1a644ab7c07ed96e453347dae41x_refsource_MISC
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-2935897x_refsource_MISC
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2935898x_refsource_MISC
https://snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2022-25898

IV. Related Vulnerabilities

Same product: jsrsasign

Same vendor: n/a

V. Comments for CVE-2022-25898

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2022-25898

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2022-25898

III. Intelligence Information for CVE-2022-25898

IV. Related Vulnerabilities

V. Comments for CVE-2022-25898

Leave a comment