Elliptic Curve Key Disclosure The advisory has been revoked - it doesn't affect any version of package gopkg.in/square/go-jose.v2 Open this link in a new tab
Threat Intelligence
EPSS
0.17% (55th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GOPKGINSQUAREGOJOSEV2-50048
- published 16 Feb 2017
- disclosed 16 Feb 2017
- credit Unknown
Introduced: 16 Feb 2017
CVE-2016-9121 Open this link in a new tabAmendment
This was deemed not a vulnerability.
Overview
Affected versions of this package are vulnerable to Elliptic Curve Key Disclosure. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making it vulnerable to an invalid curve attack.