MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFnM2ctMm1naC0zM2o4

Critical EPSS: 0.07396% (0.91267 Percentile) EPSS:

Permalink JSON

Sensitive Data Exposure in msrcrypto

Affected Packages	Affected Versions	Fixed Versions
npm:msrcrypto PURL: `pkg:npm/msrcrypto`	< 1.4.1	1.4.1
13 Dependent packages 739 Dependent repositories 564,296 Downloads last month Affected Version Ranges All affected versions 1.4.0 All unaffected versions 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8

Versions of msrcrypto prior to 1.4.1 are vulnerable to Sensitive Data Exposure. The package's Elliptic Curve Cryptography (ECC) implementation may leak information about a server's private ECC key. It can also allow attackers to craft invalid ECDSA signatures that pass as valid. There is no published proof-of-concept for this vulnerability.

Recommendation

Upgrade to version 1.4.1 or later.

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-8319
https://github.com/advisories/GHSA-qg3g-2mgh-33j8
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8319
https://www.npmjs.com/advisories/1112
http://www.securityfocus.com/bid/104655
http://www.securitytracker.com/id/1041268

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFnM2ctMm1naC0zM2o4

Sensitive Data Exposure in msrcrypto

Affected Version Ranges

All affected versions

All unaffected versions

Recommendation

Identifiers

Risk

Severity

EPSS

Classification

Source

Origin

Date and time

Published

Updated

API