CVE-2024-42460

Опубликовано: 02 авг. 2024

Источник: redhat

CVSS3: 5.3

EPSS Низкий

Описание

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

A flaw was found in the Elliptic NodeJS package where it fails to properly verify the leading bit for the R and S values used in the ECDSA signature. This issue may lead to a scenario where an attacker can modify the signature without the Elliptic library being able to properly reject it, causing data confidentiality issues.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

Платформа	Пакет	Состояние
Builds for Red Hat OpenShift	openshift-builds/openshift-builds-waiters-rhel9	Not affected
Logging Subsystem for Red Hat OpenShift	openshift-logging/kibana6-rhel8	Not affected
OpenShift Lightspeed	openshift-lightspeed-beta/lightspeed-rhel9-operator	Not affected
OpenShift Pipelines	openshift-pipelines/pipelines-hub-ui-rhel8	Will not fix
OpenShift Serverless	elliptic	Will not fix
OpenShift Service Mesh 2	openshift-service-mesh/kiali-rhel8	Affected
Red Hat Developer Hub	rhdh/rhdh-hub-rhel9	Not affected
Red Hat Enterprise Linux 6	firefox	Out of support scope
Red Hat Enterprise Linux 6	thunderbird	Out of support scope
Red Hat Enterprise Linux 7	thunderbird	Out of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-325

https://bugzilla.redhat.com/show_bug.cgi?id=2302459elliptic: nodejs/elliptic: ECDSA signature malleability due to missing checks

EPSS

Процентиль: 47%

0.00241

Низкий

5.3 Medium

CVSS3

Связанные уязвимости

CVE-2024-42460

CVSS3: 5.3

ubuntu

больше 1 года назад

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

CVE-2024-42460

CVSS3: 5.3

nvd

больше 1 года назад

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

CVE-2024-42460

CVSS3: 5.3

msrc

больше 1 года назад

Описание отсутствует

CVE-2024-42460

CVSS3: 5.3

debian

больше 1 года назад

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleabilit ...

GHSA-977x-g7h5-7qgw

CVSS3: 5.3

github

больше 1 года назад

Elliptic's ECDSA missing check for whether leading bit of r and s is zero

EPSS

Процентиль: 47%

0.00241

Низкий

5.3 Medium

CVSS3