CVE-2024-42461 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-42461

CVE-2024-42461

August 02, 2024

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.

Affected Packages

elliptic (CDN_JS):

Affected version(s) >=6.3.1 <6.5.7

Fix Suggestion:

Update to version 6.5.7

elliptic (NPM):

Affected version(s) >=5.2.1 <6.5.7

Fix Suggestion:

Update to version 6.5.7

Related Resources (7)

https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100bb42d11

https://security.netapp.com/advisory/ntap-20241004-0005

https://security.netapp.com/advisory/ntap-20241004-0005/

https://nvd.nist.gov/vuln/detail/CVE-2024-42461

https://github.com/indutny/elliptic/pull/317

https://security-tracker.debian.org/tracker/CVE-2024-42461

https://github.com/indutny/elliptic

Do you need more information?

CVSS v4

Base Score:

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

Exploit Maturity

UNREPORTED

CVSS v3

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Weakness Type (CWE)

Improper Verification of Cryptographic Signature

CWE-347

EPSS

Base Score:

2.9

Products

Solutions

Resources

Company

Compare

Developer Tools