CVE-2020-28498Use of a Broken or Risky Cryptographic Algorithm in Elliptic

CWE-327Use of a Broken or Risky Cryptographic Algorithm5 documents4 sources
Severity
6.8MEDIUMNVD
EPSS
3.9%
top 11.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Indutny EllipticDebian Node-elliptic
Timeline
PublishedFeb 2
Latest updateMar 8

Description

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 2.2 | Impact: 4.0

Affected Packages3 packages

NVDindutny/elliptic< 6.5.4
npmindutny/elliptic< 6.5.4
debiandebian/node-elliptic< node-elliptic 6.5.4~dfsg-1 (bookworm)

Patches

Patch: github.comPatch: snyk.ioPatch: snyk.io

🔴Vulnerability Details

3
OSV
Elliptic Uses a Broken or Risky Cryptographic Algorithm2021-03-08
GHSA
Elliptic Uses a Broken or Risky Cryptographic Algorithm2021-03-08
OSV
CVE-2020-28498: The package elliptic before 62021-02-02

📋Vendor Advisories

1
Debian
CVE-2020-28498: node-elliptic - The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the...2020
CVE-2020-28498 — Indutny Elliptic vulnerability | cvebase