Vulnerability DatabaseCVE-2017-16007
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2017-16007
June 04, 2018
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.
Affected Packages
node-jose (NPM):
Affected version(s) >=0.3.0 <0.9.3
Fix Suggestion:
Update to version 0.9.3
Related ResourcesĀ (8)
https://github.com/cisco/node-jose
https://github.com/cisco/node-jose/pull/88
https://github.com/cisco/node-jose/commit/f92cffb4a0398b4b1158be98423369233282e0af
http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html
https://nvd.nist.gov/vuln/detail/CVE-2017-16007
https://nodesecurity.io/advisories/324
https://gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae
https://github.com/cisco/node-jose/compare/0.9.2...0.9.3
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
CVSS v2
Base Score:
4.3
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
CWE-200
EPSS
Base Score:
0.25