GHSA-rvj9-8cvx-3vq9

Опубликовано: 20 июл. 2018

Источник: github

Github: Прошло ревью

CVSS3: 5.9

Описание

Invalid Curve Attack in node-jose

Affected versions of node-jose are vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.

Proof of Concept

Recommendation

Update to version 0.9.3 or later.

Ссылки

Пакеты

Наименование

node-jose

npm

Затронутые версииВерсия исправления

< 0.9.3

0.9.3

EPSS

Процентиль: 48%

0.00249

Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2017-16007

Дефекты

CWE-200

Связанные уязвимости

CVE-2017-16007

CVSS3: 5.9

nvd

больше 7 лет назад

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.

EPSS

Процентиль: 48%

0.00249

Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2017-16007

Дефекты

CWE-200