CVE-2017-16007 – node-jose

Package

Manager: npm
Name: node-jose
Vulnerable Version: >=0 <0.9.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00262 pctl0.4935

Details

Invalid Curve Attack in node-jose Affected versions of `node-jose` are vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used. [Proof of Concept](https://gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae) ## Recommendation Update to version 0.9.3 or later.

Metadata

Created: 2018-07-20T21:10:14Z
Modified: 2023-09-06T23:38:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-rvj9-8cvx-3vq9/GHSA-rvj9-8cvx-3vq9.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-rvj9-8cvx-3vq9
Finding: F017
Auto approve: 1