Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-13822

Опубликовано: 01 июн. 2020
Источник: redhat
CVSS3: 7.7
EPSS Низкий

Описание

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

The Elliptic for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Отчет

In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana and prometheus containers don't use the vulnerable elliptic library for authentication (OpenShift OAuth is used) or traffic communications (OpenShift route is used). Therefore the impact for OCP and OSSM is Low. Red Hat Quay includes nodejs-elliptic as a dependency of webpack. That dependency is only used at development time, not runtime. Therefore this vulnerability is rated low for Red Hat Quay.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 1servicemesh-grafanaFix deferred
Red Hat Quay 3quay/quay-rhel8Fix deferred
Red Hat Single Sign-On 7nodejsAffected
Red Hat OpenShift Container Platform 4.6openshift4/ose-grafanaFixedRHSA-2020:429827.10.2020
Red Hat OpenShift Container Platform 4.6openshift4/ose-prometheusFixedRHSA-2020:429827.10.2020
Text-Only RHSSOnodejsFixedRHSA-2020:553315.12.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-190
https://bugzilla.redhat.com/show_bug.cgi?id=1848647nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures

EPSS

Процентиль: 40%
0.00187
Низкий

7.7 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-13822

CVSS3: 7.7
ubuntu
больше 5 лет назад

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

nvd логотип

CVE-2020-13822

CVSS3: 7.7
nvd
больше 5 лет назад

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

debian логотип

CVE-2020-13822

CVSS3: 7.7
debian
больше 5 лет назад

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleabi ...

github логотип

GHSA-vh7m-p724-62c2

CVSS3: 7.7
github
больше 5 лет назад

Signature Malleabillity in elliptic

EPSS

Процентиль: 40%
0.00187
Низкий

7.7 High

CVSS3