35 matches found
CVE-2023-25653
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption JOSE for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in node-jose can trigger a Denial-of-Service DoS condition, due to a...
EUVD-2018-0319
Malware in sbrugna...
EUVD-2023-0629
Malicious code in bioql PyPI...
Security Bulletin: Cisco node-jose is vulnerable to CVE-2023-25653 used in IBM Maximo Application Suite - Monitor Component
Summary IBM Maximo Application Suite - Monitor Component uses Cisco node-jose which is vulnerable to CVE-2023-25653. Vulnerability Details CVEID:CVE-2023-25653 DESCRIPTION: Cisco node-jose is vulnerable to a denial of service, caused by improper calculations in ECC implementation. By sending a...
Denial Of Service (DoS)
node-jose is vulnerable to Denial Of Service DoS. The vulnerability exists due to an infinite loop in the internal calculation for some ECC operations when using the library's non-default "fallback" crypto back-end, when either WebCrypto or the crypto module is unavailable, which allows an attack...
CVE-2023-25653
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption JOSE for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in node-jose can trigger a Denial-of-Service DoS condition, due to a...
7ghost (>=4.11.0 <=4.11.46), @abbott-platform/abbott-framework (>=1.6.0 <=1.6.7) +587 more potentially affected by CVE-2023-25653 via node-jose (>=0.10.0 <=2.1.1)
node-jose NPM version =0.10.0, =4.11.0, =1.6.0, =1.5.3, =0.0.1, =0.0.0-development, =1.1.0, =0.0.1-beta.0, =0.0.2, =0.0.2, =5.5.1, =1.0.0, =0.1.0, =0.0.2, =4.5.0, =4.5.35 and more Source cves: CVE-2023-25653 Source advisory: OSV:GHSA-5H4J-QRVG-9XHW...
GHSA-5H4J-QRVG-9XHW Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)
Description When using the non-default "fallback" crypto back-end, ECC operations in node-jose can trigger a Denial-of-Service DoS condition, due to a possible infinite loop in an internal calculation. For some ECC operations, this condition is triggered randomly; for others, it can be triggered ...
CVE-2023-25653
CVE-2023-25653 affects the node-jose library (JOSE for web browsers and Node.js) when using the non-default fallback crypto backend. The root cause is an infinite loop in ECC-related calculations due to how the modular inverse result from the jsbn library can be negative, which breaks the Barrett...
CVE-2023-25653 Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption JOSE for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in node-jose can trigger a Denial-of-Service DoS condition, due to a...
CVE-2023-25653 Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption JOSE for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in node-jose can trigger a Denial-of-Service DoS condition, due to a...
@financialforcedev/orizuru-auth (=3.0.4), @kognifai/oidc-provider-fork (=2.5.1) +7 more potentially affected by CVE-2018-0114 via node-jose (=0.10.0)
node-jose NPM version =0.10.0 is affected by a known vulnerability. The following packages have a transitive dependency on node-jose and may be impacted: - @financialforcedev/orizuru-auth =3.0.4 - @kognifai/oidc-provider-fork =2.5.1 - @kognifai/poseidon-dev-host =2.0.0, =0.0.1, =2.4.0, =1.16.0,...
Cisco node-jose improper validation of JWT signature
A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature JWS standard for JSON Web Tokens JWTs...
GHSA-JFXM-W8G2-4RCV Cisco node-jose improper validation of JWT signature
A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature JWS standard for JSON Web Tokens JWTs...
Security Bulletin: Three vulnerabilities in Nimbus JOSE+JWT affect IBM Spectrum Conductor
Summary There are three vulnerabilities in Nimbus JOSE+JWT 3.1.2 used by IBM Spectrum Conductor 2.4.1, IBM Spectrum Conductor 2.4.0 and IBM Spectrum Conductor 2.3.0. IBM Spectrum Conductor 2.4.1, IBM Spectrum Conductor 2.4.0 and IBM Spectrum Conductor 2.3 have addressed the applicable CVEs...
GHSA-RVJ9-8CVX-3VQ9 Invalid Curve Attack in node-jose
Affected versions of node-jose are vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static ECDH-ES is used. Proof of Concept Recommendation Update to version 0.9.3 or later...
Invalid Curve Attack in node-jose
Affected versions of node-jose are vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static ECDH-ES is used. Proof of Concept Recommendation Update to version 0.9.3 or later...
node-jose information disclosure vulnerability
node-jose is a web browser and node.js based server JSON object signing and encryption of open source library . A security vulnerability exists in versions of node-jose prior to 0.9.3. An attacker can exploit the vulnerability to obtain sensitive information...
CVE-2017-16007
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption JOSE for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key...
Code injection
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption JOSE for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key...