CVE-2022-44310 – ecdh

Package

Manager: npm
Name: ecdh
Vulnerable Version: >=0 <0.2.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00063 pctl0.19933

Details

ecdh vulnerable to Exposure of Resource to Wrong Sphere In Development IL ecdh before 0.2.0, an attacker can send an invalid point (not on the curve) as the public key, and obtain the derived shared secret.

Metadata

Created: 2023-02-24T21:30:18Z
Modified: 2023-03-08T17:22:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-p2hp-3wv3-4w74/GHSA-p2hp-3wv3-4w74.json
CWE IDs: ["CWE-668"]
Alternative ID: GHSA-p2hp-3wv3-4w74
Finding: F017
Auto approve: 1