Impact

Vulnerable jsrsasign will accept RSA signature (RSASSA-PKCS1-v1_5) with improper PKCS#1.5 padding.
Decoded RSA signature value consists following form:

• 0001(ff...(8 or more ffs)...ff)00[ASN.1 OF DigestInfo]

Its byte length shall be the same as RSA key length however such checking was not sufficient.
So following decoded signature can be accepted by mistake:

• (000 .. more than 3 zeros)(short "f"s)00[ASN.1 OF DigestInfo]
• 001f(one more long "f"s)00[ASN.1 OF DigestInfo]

To make crafted valid message for practical attack is very hard since it's still relies on hash algorithm collision.

Patches

Users validating RSA signature should upgrade to 10.2.0 or later.

Workarounds

There is no workaround. Not to use RSA signature validation in jsrsasign otherwise update to 10.2.0.

ACKNOWLEDGEMENT

Thanks to Mr. Daniel Yahyazadeh @yahyazadeh for reporting and analyzing this vulnerability.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30246
https://nvd.nist.gov/vuln/detail/CVE-2021-30246
https://tools.ietf.org/html/rfc8017#section-8.2
https://github.com/kjur/jsrsasign/releases/tag/10.2.0
#478