Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-42459

Опубликовано: 02 авг. 2024
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.

A flaw was found in the NodeJS Elliptic package. When creating EDDSA signatures, the Elliptic package doesn't properly check the signature length, allowing zeros to be added or removed from the signature without invalidating it, which may result in confidentiality issues.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Builds for Red Hat OpenShiftopenshift-builds/openshift-builds-controller-rhel9Under investigation
Builds for Red Hat OpenShiftopenshift-builds/openshift-builds-git-cloner-rhel9Under investigation
Builds for Red Hat OpenShiftopenshift-builds/openshift-builds-image-bundler-rhel9Under investigation
Builds for Red Hat OpenShiftopenshift-builds/openshift-builds-image-processing-rhel9Under investigation
Builds for Red Hat OpenShiftopenshift-builds/openshift-builds-rhel9-operatorUnder investigation
Builds for Red Hat OpenShiftopenshift-builds/openshift-builds-shared-resource-rhel9Under investigation
Builds for Red Hat OpenShiftopenshift-builds/openshift-builds-shared-resource-webhook-rhel9Under investigation
Builds for Red Hat OpenShiftopenshift-builds/openshift-builds-waiters-rhel9Under investigation
Builds for Red Hat OpenShiftopenshift-builds/openshift-builds-webhook-rhel9Under investigation
Logging Subsystem for Red Hat OpenShiftopenshift-logging/kibana6-rhel8Under investigation

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-325
https://bugzilla.redhat.com/show_bug.cgi?id=2302458elliptic: nodejs/elliptic: EDDSA signature malleability due to missing signature length check

EPSS

Процентиль: 33%
0.00131
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2024-42459

CVSS3: 5.3
ubuntu
больше 1 года назад

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.

nvd логотип

CVE-2024-42459

CVSS3: 5.3
nvd
больше 1 года назад

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.

msrc логотип

CVE-2024-42459

CVSS3: 5.3
msrc
больше 1 года назад

Описание отсутствует

debian логотип

CVE-2024-42459

CVSS3: 5.3
debian
больше 1 года назад

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleabilit ...

github логотип

GHSA-f7q4-pwc6-w24p

CVSS3: 5.3
github
больше 1 года назад

Elliptic's EDDSA missing signature length check

EPSS

Процентиль: 33%
0.00131
Низкий

5.3 Medium

CVSS3