Lucene search

GitHub Advisory DatabaseGHSA-Q3F4-9H4P-VGR3

HistorySep 25, 2022 - 12:00 a.m.

secp256k1-js implements ECDSA without required r and s validation, leading to signature forgery

2022-09-2500:00:15

CWE-347

GitHub Advisory Database

github.com

secp256k1-js

ecdsa

validation

node.js

package

signature forgery

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

38.5%

JSON

The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.

Affected configurations

Vulners

Node

lionellosecp256k1-jsRange<1.1.0

VendorProductVersionCPE
lionellosecp256k1-js*cpe:2.3:a:lionello:secp256k1-js:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
lionello	secp256k1-js	*	cpe:2.3:a:lionello:secp256k1-js::::::::

References

github.com/advisories/GHSA-q3f4-9h4p-vgr3

github.com/lionello/secp256k1-js/commit/302800f0370b42e360a33774bb808274ac729c2e

github.com/lionello/secp256k1-js/compare/1.0.1...1.1.0

github.com/lionello/secp256k1-js/issues/11

nvd.nist.gov/vuln/detail/CVE-2022-41340

www.npmjs.com/package/@lionello/secp256k1-js

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

38.5%

JSON

Related for GHSA-Q3F4-9H4P-VGR3