Vulnerability Details : CVE-2022-25898
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.
Products affected by CVE-2022-25898
- Jsrsasign Project » Jsrsasign » For Node.jsVersions from including (>=) 4.8.0 and before (<) 10.5.25cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-25898
1.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-25898
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
7.7
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H |
1.8
|
5.3
|
Snyk |
CWE ids for CVE-2022-25898
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-25898
-
https://snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122
Improper Verification of Cryptographic Signature in jsrsasign | CVE-2022-25898 | SnykExploit;Patch;Third Party Advisory
-
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2935896
Improper Verification of Cryptographic Signature in org.webjars.npm:jsrsasign | CVE-2022-25898 | SnykExploit;Patch;Third Party Advisory
-
https://github.com/kjur/jsrsasign/commit/4536a6e9e8bcf1a644ab7c07ed96e453347dae41
CVE-2022-25898 Security fix in JWS and JWT validation · kjur/jsrsasign@4536a6e · GitHubPatch;Third Party Advisory
-
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-2935897
Improper Verification of Cryptographic Signature in org.webjars.bowergithub.kjur:jsrsasign | CVE-2022-25898 | SnykExploit;Patch;Third Party Advisory
-
https://github.com/kjur/jsrsasign/releases/tag/10.5.25
Release CVE-2022-25898 Security fix in JWS and JWT validation · kjur/jsrsasign · GitHubRelease Notes;Third Party Advisory
-
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2935898
Improper Verification of Cryptographic Signature in org.webjars.bower:jsrsasign | CVE-2022-25898 | SnykExploit;Patch;Third Party Advisory
Jump to