CVE-2022-44310
ecdh vulnerable to Exposure of Resource to Wrong Sphere
7.5
HIGH
CVSS 3.1
EPSS 0.25%
Description
In Development IL ecdh before 0.2.0, an attacker can send an invalid point (not on the curve) as the public key, and obtain the derived shared secret.
How to fix CVE-2022-44310
To remediate CVE-2022-44310, upgrade the affected package to a fixed version below.
- npm/ecdh—upgrade to 0.2.0 or later
Is CVE-2022-44310 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |