CVE-2017-16007
N/A
N/A
Summary
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| HackerOne | node-jose node module | <0.9.3 | affected |
Weaknesses
- CWE-200: Information Disclosure (CWE-200)
ADP Enrichment
CVE Program Container
Additional References
- https://gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae
- https://nodesecurity.io/advisories/324
- http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html
- https://github.com/cisco/node-jose
References
- https://gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae
- https://nodesecurity.io/advisories/324
- http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html
- https://github.com/cisco/node-jose
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.