CVE-2020-14966
7.5 HIGHAn issue was discovered in the jsrsasign package through 8.0.18 for Node.js
Published: 2020-06-22 · Last updated: 2026-06-22
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- CWE
- CWE-347
Affected products
| Vendor | Product |
|---|---|
| kjur | jsrsasign, max_data |
| netapp | jsrsasign, max_data |
Description
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. It allows a malleability in ECDSA signatures by not checking overflows in the length of a sequence and '0' characters appended or prepended to an integer. The modified signatures are verified as valid. This could have a security-relevant impact if an application relied on a single canonical signature.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2020-14966
- [Exploit reference]https://github.com/kjur/jsrsasign/issues/437
- [Other]https://github.com/kjur/jsrsasign/releases/tag/8.0.17
- [Other]https://github.com/kjur/jsrsasign/releases/tag/8.0.18
- [Other]https://kjur.github.io/jsrsasign/
- [Other]https://security.netapp.com/advisory/ntap-20200724-0001/
- [Other]https://www.npmjs.com/package/jsrsasign
- [Exploit reference]https://github.com/kjur/jsrsasign/issues/437
- [Other]https://github.com/kjur/jsrsasign/releases/tag/8.0.17
- [Other]https://github.com/kjur/jsrsasign/releases/tag/8.0.18
- [Other]https://kjur.github.io/jsrsasign/
- [Other]https://security.netapp.com/advisory/ntap-20200724-0001/
- [Other]https://www.npmjs.com/package/jsrsasign
Related CVEs
Same vendor
- CVE-2025-22134 — When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because... (4.2 MEDIUM)
- CVE-2024-21262 — Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/ODBC) (6.5 MEDIUM)
- CVE-2024-43374 — The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling (4.5 MEDIUM)
- CVE-2023-21968 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries) (3.7 LOW)
- CVE-2023-28531 — ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints (9.8 CRITICAL)
Same CWE
- CVE-2026-42743 — Unauthenticated Broken Authentication in Masteriyo - LMS <= 2.1.8 versions (6.5 MEDIUM)
- CVE-2026-48558 — SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authenticati... (10.0 CRITICAL)
- CVE-2026-50010 — Netty is a network application framework for development of protocol servers and clients (7.5 HIGH)
- CVE-2026-50634 — A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticate... (6.5 MEDIUM)
- CVE-2026-41005 — Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from th... (9.0 CRITICAL)