CVE-2020-13822 – elliptic

Package

Manager: npm
Name: elliptic
Vulnerable Version: >=0 <6.5.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00411 pctl0.60605

Details

Signature Malleabillity in elliptic The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Metadata

Created: 2020-07-29T20:40:35Z
Modified: 2024-10-16T17:02:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-vh7m-p724-62c2/GHSA-vh7m-p724-62c2.json
CWE IDs: ["CWE-190"]
Alternative ID: GHSA-vh7m-p724-62c2
Finding: F111
Auto approve: 1