CVE-2020-13822 - OpenCVE

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Elliptic Project	Elliptic

Configuration 1 [-]

cpe:2.3:a:elliptic_project:elliptic:6.5.2:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/indutny/elliptic/issues/226	Exploit Third Party Advisory
https://medium.com/%40herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4
https://www.npmjs.com/package/elliptic	Third Party Advisory
https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-06-04T14:01:53

Updated: 2020-06-04T14:01:53

Reserved: 2020-06-04T00:00:00

Link: CVE-2020-13822

JSON object: View

NVD Information

Status : Modified

Published: 2020-06-04T15:15:13.510

Modified: 2023-11-07T03:16:58.907

Link: CVE-2020-13822

JSON object: View

Redhat Information

No data.

CWE

CWE-190

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-04T14:01:53", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/elliptic"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/indutny/elliptic/issues/226"}, {"tags": ["x_refsource_MISC"], "url": "https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/"}, {"tags": ["x_refsource_MISC"], "url": "https://medium.com/%40herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-13822", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.npmjs.com/package/elliptic", "refsource": "MISC", "url": "https://www.npmjs.com/package/elliptic"}, {"name": "https://github.com/indutny/elliptic/issues/226", "refsource": "MISC", "url": "https://github.com/indutny/elliptic/issues/226"}, {"name": "https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/", "refsource": "MISC", "url": "https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/"}, {"name": "https://medium.com/@herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4", "refsource": "MISC", "url": "https://medium.com/@herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-13822", "datePublished": "2020-06-04T14:01:53", "dateReserved": "2020-06-04T00:00:00", "dateUpdated": "2020-06-04T14:01:53", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elliptic_project:elliptic:6.5.2:*:*:*:*:node.js:*:*", "matchCriteriaId": "83C79EC5-299D-4D27-8606-3BDEB95825E5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature."}, {"lang": "es", "value": "El paquete Elliptic versi\u00f3n 6.5.2, para Node.js permite la maleabilidad de la firma ECDSA por medio de variaciones en la codificaci\u00f3n, conllevando a bytes \"\\0\", o a desbordamientos de enteros. Esto podr\u00eda tener un impacto relevante para la seguridad si una aplicaci\u00f3n se basara en una firma can\u00f3nica \u00fanica"}], "id": "CVE-2020-13822", "lastModified": "2023-11-07T03:16:58.907", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-04T15:15:13.510", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/indutny/elliptic/issues/226"}, {"source": "cve@mitre.org", "url": "https://medium.com/%40herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.npmjs.com/package/elliptic"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}