3 matches found
CVE-2018-0114
CVE-2018-0114 affects the Cisco node-jose library prior to 0.11.0. The flaw arises when a JSON Web Signature (JWS) header can carry a JWK (public key) that is then trusted for verification. An unauthenticated, remote attacker could forge valid JWS objects by removing the original signature, inser...
CVE-2017-16007
CVE-2017-16007 affects the node-jose library prior to 0.9.3, where JWE with ECDH-ES can permit an invalid-curve attack and allow recovery of the private key. The vulnerability is described across NVD, OSV, GHSA, and IBM advisories, which also recommend upgrading to 0.9.3 or later as the remediati...
CVE-2023-25653
CVE-2023-25653 affects the node-jose library (JOSE for web browsers and Node.js) when using the non-default fallback crypto backend. The root cause is an infinite loop in ECC-related calculations due to how the modular inverse result from the jsbn library can be negative, which breaks the Barrett...