CVE-2020-14966: Improper Verification of Cryptographic Signature

June 22, 2020 (updated July 24, 2020)

An issue was discovered in the jsrsasign package for Node.js. It allows a malleability in ECDSA signatures by not checking overflows in the length of a sequence and 0 characters appended or prepended to an integer. The modified signatures are verified as valid. This could have a security-relevant impact if an application relied on a single canonical signature.

References

nvd.nist.gov/vuln/detail/CVE-2020-14966

Code Behaviors & Features

Detect and mitigate CVE-2020-14966 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →