GHSA-p2hp-3wv3-4w74

Source

https://github.com/advisories/GHSA-p2hp-3wv3-4w74

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-p2hp-3wv3-4w74/GHSA-p2hp-3wv3-4w74.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-p2hp-3wv3-4w74

Aliases

CVE-2022-44310

Published

2023-02-24T21:30:18Z

Modified

2023-11-01T05:00:18.780880Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

ecdh vulnerable to Exposure of Resource to Wrong Sphere

Details

In Development IL ecdh before 0.2.0, an attacker can send an invalid point (not on the curve) as the public key, and obtain the derived shared secret.

Database specific

{
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-08T17:22:31Z",
    "nvd_published_at": "2023-02-24T20:15:00Z",
    "cwe_ids": [
        "CWE-668"
    ]
}

References

Affected packages

npm / ecdh

Package

Name: ecdh; View open source insights on deps.dev
Purl: pkg:npm/ecdh

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.2.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-p2hp-3wv3-4w74/GHSA-p2hp-3wv3-4w74.json"