Timing Attack Affecting org.webjars.npm:elliptic package, versions [0,6.5.2)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Timing Attack vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGWEBJARSNPM-541441
  • published13 Nov 2019
  • disclosed2 Oct 2019
  • creditCentre for Research on Cryptography and Security

Introduced: 2 Oct 2019

CVE NOT AVAILABLE CWE-362  (opens in a new tab)

How to fix?

Upgrade org.webjars.npm:elliptic to version 6.5.2 or higher.

Overview

org.webjars.npm:elliptic is a Fast elliptic-curve cryptography in a plain javascript implementation.

Affected versions of this package are vulnerable to Timing Attack. Practical recovery of the long-term private key generated by the library is possible under certain conditions. Leakage of bit-length of a scalar during scalar multiplication is possible on an elliptic curve which might allow practical recovery of the long-term private key.

CVSS Scores

version 3.1