GHSA-p2hp-3wv3-4w74

Опубликовано: 24 фев. 2023

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

ecdh vulnerable to Exposure of Resource to Wrong Sphere

In Development IL ecdh before 0.2.0, an attacker can send an invalid point (not on the curve) as the public key, and obtain the derived shared secret.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2022-44310
https://github.com/developmentil/ecdh/issues/3
https://github.com/developmentil/ecdh/pull/4
https://github.com/developmentil/ecdh/commit/ef4560e7233f4e8107a17a77bc540121599c78fa

Пакеты

Наименование

ecdh

npm

Затронутые версииВерсия исправления

< 0.2.0

0.2.0

EPSS

Процентиль: 25%

0.00085

Низкий

7.5 High

CVSS3

CVE ID

CVE-2022-44310

Дефекты

CWE-668

Связанные уязвимости

CVE-2022-44310

CVSS3: 7.5

nvd

почти 3 года назад

In Development IL ecdh before 0.2.0, an attacker can send an invalid point (not on the curve) as the public key, and obtain the derived shared secret.

EPSS

Процентиль: 25%

0.00085

Низкий

7.5 High

CVSS3

CVE ID

CVE-2022-44310

Дефекты

CWE-668