Lucene search

K
debiancveDebian Security Bug TrackerDEBIANCVE:CVE-2024-48948
HistoryOct 15, 2024 - 2:15 p.m.

CVE-2024-48948

2024-10-1514:15:05
Debian Security Bug Tracker
security-tracker.debian.org
1
node.js
ecdsa
elliptic package
valid signatures
vulnerability
unix

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

AI Score

7.2

Confidence

Low

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve’s base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

AI Score

7.2

Confidence

Low

Related for DEBIANCVE:CVE-2024-48948