CVE-2017-16007
MEDIUM5.9EPSS 0.25%Invalid Curve Attack in node-jose
發布日:2018/7/20修改日:2023/11/8
描述
Affected versions of `node-jose` are vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used. [Proof of Concept](https://gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae) ## Recommendation Update to version 0.9.3 or later.
受影響套件(1)
- npm/node-josefrom 0, < 0.9.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-16007
- PATCHhttps://github.com/cisco/node-jose
- WEBhttp://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html
- WEBhttps://gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae
- WEBhttps://github.com/cisco/node-jose/commit/f92cffb4a0398b4b1158be98423369233282e0af
- WEBhttps://github.com/cisco/node-jose/compare/0.9.2...0.9.3
- WEBhttps://github.com/cisco/node-jose/pull/88