{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-04T14:01:53", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/elliptic"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/indutny/elliptic/issues/226"}, {"tags": ["x_refsource_MISC"], "url": "https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/"}, {"tags": ["x_refsource_MISC"], "url": "https://medium.com/%40herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-13822", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.npmjs.com/package/elliptic", "refsource": "MISC", "url": "https://www.npmjs.com/package/elliptic"}, {"name": "https://github.com/indutny/elliptic/issues/226", "refsource": "MISC", "url": "https://github.com/indutny/elliptic/issues/226"}, {"name": "https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/", "refsource": "MISC", "url": "https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/"}, {"name": "https://medium.com/@herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4", "refsource": "MISC", "url": "https://medium.com/@herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:25:16.506Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/elliptic"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/indutny/elliptic/issues/226"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://medium.com/%40herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-13822", "datePublished": "2020-06-04T14:01:53", "dateReserved": "2020-06-04T00:00:00", "dateUpdated": "2024-08-04T12:25:16.506Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:indutny:elliptic:6.5.2:*:*:*:*:node.js:*:*", "matchCriteriaId": "E5343FAF-0200-473D-922C-51CB46D28A7F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature."}, {"lang": "es", "value": "El paquete Elliptic versi\u00f3n 6.5.2, para Node.js permite la maleabilidad de la firma ECDSA por medio de variaciones en la codificaci\u00f3n, conllevando a bytes \"\\0\", o a desbordamientos de enteros. Esto podr\u00eda tener un impacto relevante para la seguridad si una aplicaci\u00f3n se basara en una firma can\u00f3nica \u00fanica"}], "id": "CVE-2020-13822", "lastModified": "2024-11-21T05:01:56.443", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-04T15:15:13.510", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/indutny/elliptic/issues/226"}, {"source": "cve@mitre.org", "url": "https://medium.com/%40herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.npmjs.com/package/elliptic"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/indutny/elliptic/issues/226"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://medium.com/%40herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.npmjs.com/package/elliptic"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:4298", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "impact": "low", "package": "openshift4/ose-grafana:v4.6.0-202010061132.p0", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2020-10-27T00:00:00Z"}, {"advisory": "RHSA-2020:4298", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "impact": "low", "package": "openshift4/ose-prometheus:v4.6.0-202009290409.p0", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2020-10-27T00:00:00Z"}, {"advisory": "RHSA-2020:5533", "cpe": "cpe:/a:redhat:red_hat_single_sign_on", "package": "nodejs", "product_name": "Text-Only RHSSO", "release_date": "2020-12-15T00:00:00Z"}], "bugzilla": {"description": "nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures", "id": "1848647", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848647"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "status": "verified"}, "cwe": "CWE-190", "details": ["The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.", "The Elliptic for Node.js allows ECDSA signature malleability via variations in encoding, leading '\\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature."], "name": "CVE-2020-13822", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Fix deferred", "impact": "low", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "impact": "low", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "nodejs", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2020-06-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-13822\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-13822\nhttps://snyk.io/vuln/SNYK-JS-ELLIPTIC-571484"], "statement": "In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana and prometheus containers don't use the vulnerable elliptic library for authentication (OpenShift OAuth is used) or traffic communications (OpenShift route is used). Therefore the impact for OCP and OSSM is Low.\nRed Hat Quay includes nodejs-elliptic as a dependency of webpack. That dependency is only used at development time, not runtime. Therefore this vulnerability is rated low for Red Hat Quay.", "threat_severity": "Moderate"}