CVE-2017-16007

Source
https://nvd.nist.gov/vuln/detail/CVE-2017-16007
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-16007.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2017-16007
Aliases
Published
2018-06-04T19:29:00Z
Modified
2025-01-08T04:34:05.779046Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.

References

Affected packages

Git / github.com/cisco/node-jose

Affected ranges

Type
GIT
Repo
https://github.com/cisco/node-jose
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.3.0
0.3.1
0.4.0
0.5.0
0.5.2
0.6.0
0.7.0
0.7.1
0.8.0
0.8.1
0.9.0
0.9.1
0.9.2