Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-48949

Опубликовано: 10 окт. 2024
Источник: redhat
CVSS3: 8.2
EPSS Низкий

Описание

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

A flaw was found in the Elliptic package. This vulnerability allows attackers to bypass EDDSA signature validation via improper handling of signature values where the S() component of the signature is not properly checked for being non-negative or smaller than the curve order.

Отчет

Thunderbird is not supported in Red Hat Enterprise Linux 7 ELS.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Logging Subsystem for Red Hat OpenShiftopenshift-logging/kibana6-rhel8Not affected
OpenShift Pipelinesopenshift-pipelines/pipelines-console-plugin-rhel8Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-api-rhel8Will not fix
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-db-migration-rhel8Will not fix
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-ui-rhel8Will not fix
OpenShift Service Mesh 2openshift-service-mesh/kiali-ossmc-rhel8Not affected
OpenShift Service Mesh 2openshift-service-mesh/kiali-rhel8Not affected
Red Hat 3scale API Management Platform 23scale-amp-system-containerAffected
Red Hat Developer Hubrhdh-operator-containerNot affected
Red Hat Developer Hubrhdh/rhdh-hub-rhel9Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-347
https://bugzilla.redhat.com/show_bug.cgi?id=2317724elliptic: Missing Validation in Elliptic's EDDSA Signature Verification

EPSS

Процентиль: 31%
0.00114
Низкий

8.2 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2024-48949

CVSS3: 9.1
ubuntu
больше 1 года назад

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

nvd логотип

CVE-2024-48949

CVSS3: 9.1
nvd
больше 1 года назад

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

msrc логотип

CVE-2024-48949

CVSS3: 9.1
msrc
около 1 года назад

Описание отсутствует

debian логотип

CVE-2024-48949

CVSS3: 9.1
debian
больше 1 года назад

The verify function in lib/elliptic/eddsa/index.js in the Elliptic pac ...

github логотип

GHSA-434g-2637-qmqr

CVSS3: 5.3
github
больше 1 года назад

Elliptic's verify function omits uniqueness validation

EPSS

Процентиль: 31%
0.00114
Низкий

8.2 High

CVSS3