Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wMmhwLTN3djMtNHc3NM4AAxzi
ecdh vulnerable to Exposure of Resource to Wrong Sphere
In Development IL ecdh before 0.2.0, an attacker can send an invalid point (not on the curve) as the public key, and obtain the derived shared secret.
Permalink: https://github.com/advisories/GHSA-p2hp-3wv3-4w74JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wMmhwLTN3djMtNHc3NM4AAxzi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-p2hp-3wv3-4w74, CVE-2022-44310
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-44310
- https://github.com/developmentil/ecdh/issues/3
- https://github.com/developmentil/ecdh/pull/4
- https://github.com/developmentil/ecdh/commit/ef4560e7233f4e8107a17a77bc540121599c78fa
- https://github.com/advisories/GHSA-p2hp-3wv3-4w74
Blast Radius: 5.2
Affected Packages
npm:ecdh
Dependent packages: 5Dependent repositories: 5
Downloads: 842 last month
Affected Version Ranges: < 0.2.0
Fixed in: 0.2.0
All affected versions: 0.0.0, 0.1.0, 0.1.1
All unaffected versions: 0.2.0