CVE-2020-13822 — Integer Overflow or Wraparound in Node-elliptic

CWE-190 — Integer Overflow or Wraparound7 documents6 sources

Severity

7.7HIGHNVD

EPSS

0.2%

top 59.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Node-elliptic Indutny Elliptic

Timeline

PublishedJun 4

Latest updateJul 29

Description

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:LExploitability: 2.2 | Impact: 5.5

Affected Packages3 packages

▶debiandebian/node-elliptic< node-elliptic 6.5.3~dfsg-1 (bookworm)

▶npmindutny/elliptic< 6.5.3

▶NVDindutny/elliptic6.5.2

🔴Vulnerability Details

OSV

Signature Malleabillity in elliptic↗2020-07-29

▶

GHSA

Signature Malleabillity in elliptic↗2020-07-29

▶

OSV

CVE-2020-13822: The Elliptic package 6↗2020-06-04

▶

📋Vendor Advisories

Red Hat

nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures↗2020-06-01

▶

Debian

CVE-2020-13822: node-elliptic - The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via v...↗2020

▶

💬Community

Bugzilla

CVE-2020-13822 nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures↗2020-06-18

▶