CVE-2017-16007

Sažetak

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.

Reference

http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html
https://gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae
https://github.com/cisco/node-jose
https://nodesecurity.io/advisories/324

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

09-10-2019 - 23:24

Objavljeno

04-06-2018 - 19:29