CVE-2016-9121

Name of the Vulnerable Software and Affected Versions go-jose versions prior to 1.0.4

Description The issue arises from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, the received public key on a message is not checked to be on the same curve as the static private key of the receiver. This allows an attacker to mount an invalid curve attack during decryption.

Recommendations For go-jose versions prior to 1.0.4, update to version 1.0.4 or later to resolve the issue. As a temporary workaround, consider validating the curve of the received public key against the receiver's private key curve before proceeding with the ECDH-ES algorithm. Restrict access to the ECDH-ES functionality until the update is applied to minimize the risk of exploitation.