CVE-2020-28498

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-28498

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-28498.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-28498

Aliases

GHSA-r9p9-mrjm-926w

Downstream

UBUNTU-CVE-2020-28498

Related

SNYK-JAVA-ORGWEBJARSNPM-1069836
SNYK-JS-ELLIPTIC-1064899

Published

2021-02-02T19:15:13Z

Modified

2025-07-01T11:31:23.396194Z

Summary

[none]

Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

References

Affected packages

Debian:11 / node-elliptic

Package

Name: node-elliptic
Purl: pkg:deb/debian/node-elliptic?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.4~dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / node-elliptic

Package

Name: node-elliptic
Purl: pkg:deb/debian/node-elliptic?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.4~dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / node-elliptic

Package

Name: node-elliptic
Purl: pkg:deb/debian/node-elliptic?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.4~dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/indutny/elliptic

Affected ranges

Type: GIT
Repo: https://github.com/indutny/elliptic
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

441b7428b0e8f6636c42118ad2aaa186d3c34c3f

Affected versions

v0.*

v0.1.0

v0.10.0

v0.10.1

v0.10.2

v0.11.0

v0.11.1

v0.12.0

v0.13.0

v0.13.1

v0.13.2

v0.14.0

v0.14.1

v0.14.2

v0.15.0

v0.15.1

v0.15.10

v0.15.11

v0.15.12

v0.15.13

v0.15.14

v0.15.15

v0.15.16

v0.15.17

v0.15.2

v0.15.3

v0.15.4

v0.15.5

v0.15.6

v0.15.7

v0.15.8

v0.15.9

v0.16.0

v0.2.0

v0.3.0

v0.4.0

v0.5.0

v0.6.0

v0.6.1

v0.7.0

v0.8.0

v0.9.0

v0.9.1

v0.9.2

v1.*

v1.0.0

v1.0.1

v2.*

v2.0.0

v2.0.1

v2.0.2

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.1.0

v4.*

v4.0.0

v4.1.0

v5.*

v5.0.0

v5.1.0

v5.1.1

v5.2.0

v5.2.1

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.1.0

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.2.6

v6.2.7

v6.2.8

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.4.0

v6.4.1

v6.5.0

v6.5.1

v6.5.2

v6.5.3