Cryptographic Issues

Affecting org.webjars.npm:elliptic artifact, versions [,6.5.4)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.webjars.npm:elliptic is a Fast elliptic-curve cryptography in a plain javascript implementation.

Affected versions of this package are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Remediation

Upgrade org.webjars.npm:elliptic to version 6.5.4 or higher.

References

CVSS Score

6.8
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Credit
Kyle Den Hartog
CVE
CVE-2020-28498
CWE
CWE-310
Snyk ID
SNYK-JAVA-ORGWEBJARSNPM-1069836
Disclosed
26 Jan, 2021
Published
03 Feb, 2021