GitHub Advisory DatabaseGHSA-RVJ9-8CVX-3VQ9Invalid Curve Attack in node-jose
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
60.9%
Affected versions of node-jose are vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.
Recommendation
Update to version 0.9.3 or later.
Affected configurations
References
blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html
gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae
github.com/advisories/GHSA-rvj9-8cvx-3vq9
github.com/cisco/node-jose/commit/f92cffb4a0398b4b1158be98423369233282e0af
github.com/cisco/node-jose/compare/0.9.2...0.9.3
github.com/cisco/node-jose/pull/88
nvd.nist.gov/vuln/detail/CVE-2017-16007
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
60.9%