{ "schema_version": "1.4.0", "id": "GHSA-rvj9-8cvx-3vq9", "modified": "2023-09-06T23:38:57Z", "published": "2018-07-20T21:10:14Z", "aliases": [ "CVE-2017-16007" ], "summary": "Invalid Curve Attack in node-jose", "details": "Affected versions of `node-jose` are vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.\n\n[Proof of Concept](https://gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae)\n\n\n## Recommendation\n\nUpdate to version 0.9.3 or later.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "node-jose" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.9.3" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16007" }, { "type": "WEB", "url": "https://github.com/cisco/node-jose/pull/88" }, { "type": "WEB", "url": "https://github.com/cisco/node-jose/commit/f92cffb4a0398b4b1158be98423369233282e0af" }, { "type": "WEB", "url": "https://gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae" }, { "type": "PACKAGE", "url": "https://github.com/cisco/node-jose" }, { "type": "WEB", "url": "https://github.com/cisco/node-jose/compare/0.9.2...0.9.3" }, { "type": "WEB", "url": "http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:56:00Z", "nvd_published_at": null } }