Use of a broken or risky cryptographic algorithm in elliptic - CVE-2020-28498
Published: May 26, 2022 / Updated: May 26, 2022
Vulnerability identifier: #VU63701
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-28498
CWE-ID: CWE-327
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: indutny
Affected software:
elliptic
elliptic
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to cryptographic issues in the secp256k1 implementation in elliptic/ec/key.js. A remote attacker can pass specially crafted public key point to the application and gain access to sensitive information.
The vulnerability exists due to cryptographic issues in the secp256k1 implementation in elliptic/ec/key.js. A remote attacker can pass specially crafted public key point to the application and gain access to sensitive information.
How to mitigate CVE-2020-28498
Install updates from vendor's website.