GHSA-vh7m-p724-62c2

Suggest an improvement
Source
https://github.com/advisories/GHSA-vh7m-p724-62c2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-vh7m-p724-62c2/GHSA-vh7m-p724-62c2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vh7m-p724-62c2
Aliases
Published
2020-07-29T20:40:35Z
Modified
2024-10-16T17:02:45Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
Summary
Signature Malleabillity in elliptic
Details

The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Database specific
{
    "nvd_published_at": "2020-06-04T15:15:13Z",
    "cwe_ids": [
        "CWE-190"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-29T20:39:31Z"
}
References

Affected packages

npm / elliptic

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.5.3

Ecosystem specific

{
    "affected_functions": [
        "(elliptic).ec"
    ]
}