CVE-2017-16007 — Sensitive Information Exposure in Cisco Node-jose

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

0.2%

top 51.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Node-jose Hackerone Node-jose Node Module

Timeline

PublishedJun 4

Latest updateJul 20

Description

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶NVDcisco/node-jose< 0.9.3

▶npmcisco/node-jose< 0.9.3

▶CVEListV5hackerone/node-jose_node_module<0.9.3

Patches

Patch: gist.github.com ↗Patch: gist.github.com ↗

🔴Vulnerability Details

OSV

Invalid Curve Attack in node-jose↗2018-07-20

▶

GHSA

Invalid Curve Attack in node-jose↗2018-07-20

▶

CVEList

CVE-2017-16007: node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node↗2018-06-04

▶