Description

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.

Remediation

References

https://nodesecurity.io/advisories/324

https://github.com/cisco/node-jose

https://gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae

http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html

Related Vulnerabilities

CVE-2011-0509 Vulnerability in maven package com.vaadin:vaadin

CVE-2020-7634 Vulnerability in npm package heroku-addonpool

CVE-2023-26133 Vulnerability in npm package progressbar.js

CVE-2018-1305 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2021-23446 Vulnerability in npm package handsontable

Severity

Medium

Classification

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Patch Exploit NVD-CWE-noinfo