PT-2018-6036 · Javascript · Node-Jose

Asanso

Published

2018-06-04

Updated

2019-10-09

CVE-2017-16007

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: node-jose versions prior to 0.9.3

Description: The issue allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used, due to an invalid curve attack.

Recommendations: Update to version 0.9.3 or later.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2017-16007

GHSA-RVJ9-8CVX-3VQ9

Affected Products

Node-Jose

PT-2018-6036 · Javascript · Node-Jose

CVE-2017-16007

Weakness Enumeration

Related Identifiers

Affected Products

References · 10