cbcvebase.
CVE-2017-16007
published 2018-06-04

CVE-2017-16007: node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier…

PriorityP428medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
EPSS
0.93%
56.0th percentile
node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.

Affected

3 ranges
VendorProductVersion rangeFixed in
cisconode-jose< 0.9.30.9.3
cisconode-jose>= 0 < 0.9.30.9.3
hackeronenode-jose_node_module

CVSS provenance

nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.