CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
AI Score
Confidence
Low
The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve’s base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | node-elliptic | <= 6.5.4~dfsg-2 | node-elliptic_6.5.4~dfsg-2_all.deb |
Debian | 11 | all | node-elliptic | <= 6.5.4~dfsg-1 | node-elliptic_6.5.4~dfsg-1_all.deb |
Debian | 999 | all | node-elliptic | <= 6.5.7+dfsg-1 | node-elliptic_6.5.7+dfsg-1_all.deb |
Debian | 13 | all | node-elliptic | <= 6.5.7+dfsg-1 | node-elliptic_6.5.7+dfsg-1_all.deb |