GHSA-9x9j-836w-8f55

Suggest an improvement
Source
https://github.com/advisories/GHSA-9x9j-836w-8f55
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-9x9j-836w-8f55/GHSA-9x9j-836w-8f55.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9x9j-836w-8f55
Aliases
  • CVE-2020-1026
Published
2022-01-06T19:44:01Z
Modified
2023-11-08T04:01:57.734184Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Incorrect Calculation in the MSR JavaScript Cryptography Library
Details

A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library's Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server's private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability.

Database specific
{
    "github_reviewed_at": "2021-05-25T19:19:10Z",
    "nvd_published_at": "2020-04-15T15:15:00Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-682"
    ],
    "severity": "HIGH"
}
References

Affected packages

npm / msrcrypto

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.8

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-9x9j-836w-8f55/GHSA-9x9j-836w-8f55.json"