Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4OWotODM2dy04ZjU1
Incorrect Calculation in the MSR JavaScript Cryptography Library
A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library's Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server's private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4OWotODM2dy04ZjU1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-9x9j-836w-8f55, CVE-2020-1026
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-1026
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026
- https://github.com/advisories/GHSA-9x9j-836w-8f55
Affected Packages
npm:msrcrypto
Dependent packages: 13Dependent repositories: 739
Downloads: 275,065 last month
Affected Version Ranges: < 1.5.8
Fixed in: 1.5.8
All affected versions: 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7
All unaffected versions: 1.5.8