GO-2020-0010

Source

https://pkg.go.dev/vuln/GO-2020-0010

Import Source

https://vuln.go.dev/ID/GO-2020-0010.json

Aliases

Published

2021-04-14T20:04:52Z

Modified

2023-11-08T03:58:37.751733Z

Details

When using ECDH-ES an attacker can mount an invalid curve attack during decryption as the supplied public key is not checked to be on the same curve as the receivers private key.

References

Affected packages

Go / github.com/square/go-jose

Package

Name: github.com/square/go-jose

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.0.4

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/square/go-jose/cipher",
            "symbols": [
                "DeriveECDHES"
            ]
        },
        {
            "path": "github.com/square/go-jose",
            "symbols": [
                "JsonWebEncryption.Decrypt",
                "JsonWebKey.UnmarshalJSON",
                "ecDecrypterSigner.decryptKey",
                "rawJsonWebKey.ecPublicKey"
            ]
        }
    ]
}