5 matches found
CVE-2023-25653
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption JOSE for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in node-jose can trigger a Denial-of-Service DoS condition, due to a...
Security Bulletin: Cisco node-jose is vulnerable to CVE-2023-25653 used in IBM Maximo Application Suite - Monitor Component
Summary IBM Maximo Application Suite - Monitor Component uses Cisco node-jose which is vulnerable to CVE-2023-25653. Vulnerability Details CVEID:CVE-2023-25653 DESCRIPTION: Cisco node-jose is vulnerable to a denial of service, caused by improper calculations in ECC implementation. By sending a...
7ghost (>=4.11.0 <=4.11.46), @abbott-platform/abbott-framework (>=1.6.0 <=1.6.7) +586 more potentially affected by CVE-2023-25653 via node-jose (>=0.10.0 <=2.1.1)
node-jose NPM version =0.10.0, =4.11.0, =1.6.0, =1.5.3, =0.0.1, =0.0.0-development, =1.1.0, =0.0.1-beta.0, =0.0.2, =0.0.2, =5.5.1, =1.0.0, =0.1.0, =0.0.2, =4.5.0, =4.5.35 and more Source cves: CVE-2023-25653 Source advisory: OSV:GHSA-5H4J-QRVG-9XHW...
CVE-2023-25653 Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption JOSE for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in node-jose can trigger a Denial-of-Service DoS condition, due to a...
CVE-2023-25653
CVE-2023-25653 affects the node-jose library (JOSE for web browsers and Node.js) when using the non-default fallback crypto backend. The root cause is an infinite loop in ECC-related calculations due to how the modular inverse result from the jsbn library can be negative, which breaks the Barrett...