QwikSec

Security Database

CVE

CWE

Training

CVE-2017-16007

Published: Jun 4, 2018

Modified: Sep 16, 2024

PUBLISHED

Description

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.

Vendor	Product	Versions
HackerOne	node-jose node module	affected `<0.9.3`

Weaknesses (CWE)

References

https://gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae

x_refsource_MISC

https://nodesecurity.io/advisories/324

x_refsource_MISC

http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html

x_refsource_MISC

https://github.com/cisco/node-jose

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.