org.webjars.npm:elliptic@6.6.1 vulnerabilities

latest version

6.6.1

first published

9 years ago

latest version published

1 months ago

licenses detected

MIT
[3.1.0,)

package registry

View on Maven Central Repository

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:elliptic package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C Improper Verification of Cryptographic Signature org.webjars.npm:elliptic is a Fast elliptic-curve cryptography in a plain javascript implementation. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to an anomaly in the `_truncateToN` function. An attacker can cause legitimate transactions or communications to be incorrectly flagged as invalid by exploiting the signature verification process when the hash contains at least four leading 0 bytes, and the order of the elliptic curve's base point is smaller than the hash. In some situations, a private key exposure is possible. This can happen when an attacker knows a faulty and the corresponding correct signature for the same message. Note: Although the vector for exploitation of this vulnerability was restricted with the release of versions 6.6.0 and 6.6.1, it remains possible to generate invalid signatures in some cases in those releases as well. How to fix Improper Verification of Cryptographic Signature? There is no fixed version for `org.webjars.npm:elliptic`.	[0,)

Improper Verification of Cryptographic Signature

org.webjars.npm:elliptic is a Fast elliptic-curve cryptography in a plain javascript implementation.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to an anomaly in the _truncateToN function. An attacker can cause legitimate transactions or communications to be incorrectly flagged as invalid by exploiting the signature verification process when the hash contains at least four leading 0 bytes, and the order of the elliptic curve's base point is smaller than the hash.

In some situations, a private key exposure is possible. This can happen when an attacker knows a faulty and the corresponding correct signature for the same message.

Note: Although the vector for exploitation of this vulnerability was restricted with the release of versions 6.6.0 and 6.6.1, it remains possible to generate invalid signatures in some cases in those releases as well.

How to fix Improper Verification of Cryptographic Signature?

There is no fixed version for org.webjars.npm:elliptic.

[0,)

Go back to all versions of this package