#VU97605 Improper Verification of Cryptographic Signature in elliptic


Published: 2024-09-19

Vulnerability identifier: #VU97605

Vulnerability risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-42460

CWE-ID: CWE-347

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
elliptic
Web applications / JS libraries

Vendor: indutny

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when handling ECDSA signatures. A remote attacker can bypass signature-based security checks.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

elliptic: 6.0.0 - 6.5.6

External links
http://github.com/indutny/elliptic/pull/317

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2.10
Multiple vulnerabilities in elliptic library for Node.js