CVE-2017-7781 — Incorrect Conversion between Numeric Types in Mozilla Firefox
Severity
5.9MEDIUMNVD
OSV9.1
EPSS
0.9%
top 24.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 11
Latest updateMay 13
Description
An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result "POINT_AT_INFINITY" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox < 55.
CVSS vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6
Affected Packages4 packages
🔴Vulnerability Details
5GHSA▶
GHSA-r4hg-5mwm-xfgr: An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result "POINT_AT_INFIN↗2022-05-13
OSV▶
CVE-2017-7781: An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result "POINT_AT_INFIN↗2017-08-10
📋Vendor Advisories
5💬Community
2Bugzilla▶
CVE-2017-7781 nss-softokn: Mozilla: Elliptic curve point addition error when using mixed Jacobian-affine coordinates (MFSA 2017-18) [fedora-all]↗2017-08-28
Bugzilla▶
CVE-2017-7781 Mozilla: Elliptic curve point addition error when using mixed Jacobian-affine coordinates (MFSA 2017-18)↗2017-08-08