CVE-2022-41340 - OpenCVE

The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Secp256k1-js Project	Secp256k1-js

Configuration 1 [-]

cpe:2.3:a:secp256k1-js_project:secp256k1-js:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/lionello/secp256k1-js/commit/302800f0370b42e360a33774bb808274ac729c2e	Patch Third Party Advisory
https://github.com/lionello/secp256k1-js/compare/1.0.1...1.1.0	Patch Third Party Advisory
https://github.com/lionello/secp256k1-js/issues/11	Issue Tracking Third Party Advisory
https://www.npmjs.com/package/%40lionello/secp256k1-js

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-09-24T18:22:27

Updated: 2022-09-24T18:22:27

Reserved: 2022-09-24T00:00:00

Link: CVE-2022-41340

JSON object: View

NVD Information

Status : Modified

Published: 2022-09-24T19:15:08.960

Modified: 2023-11-07T03:52:48.580

Link: CVE-2022-41340

JSON object: View

Redhat Information

No data.

CWE

CWE-347

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-24T18:22:27", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/lionello/secp256k1-js/issues/11"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/lionello/secp256k1-js/commit/302800f0370b42e360a33774bb808274ac729c2e"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/lionello/secp256k1-js/compare/1.0.1...1.1.0"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40lionello/secp256k1-js"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-41340", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/lionello/secp256k1-js/issues/11", "refsource": "MISC", "url": "https://github.com/lionello/secp256k1-js/issues/11"}, {"name": "https://github.com/lionello/secp256k1-js/commit/302800f0370b42e360a33774bb808274ac729c2e", "refsource": "MISC", "url": "https://github.com/lionello/secp256k1-js/commit/302800f0370b42e360a33774bb808274ac729c2e"}, {"name": "https://github.com/lionello/secp256k1-js/compare/1.0.1...1.1.0", "refsource": "MISC", "url": "https://github.com/lionello/secp256k1-js/compare/1.0.1...1.1.0"}, {"name": "https://www.npmjs.com/package/@lionello/secp256k1-js", "refsource": "MISC", "url": "https://www.npmjs.com/package/@lionello/secp256k1-js"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-41340", "datePublished": "2022-09-24T18:22:27", "dateReserved": "2022-09-24T00:00:00", "dateUpdated": "2022-09-24T18:22:27", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}