Input validation error in node-jose - CVE-2017-16007
Published: June 4, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU37085
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-16007
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GNU
Affected software:
node-jose
node-jose
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.
How to mitigate CVE-2017-16007
Install update from vendor's website.