Description

In Development IL ecdh before 0.2.0, an attacker can send an invalid point (not on the curve) as the public key, and obtain the derived shared secret.

Remediation

References

https://github.com/developmentil/ecdh/issues/3

Related Vulnerabilities

CVE-2023-37899 Vulnerability in npm package @feathersjs/transport-commons

CVE-2018-1002203 Vulnerability in npm package unzipper

CVE-2019-12043 Vulnerability in maven package org.webjars.bowergithub.jonschlinkert:remarkable

CVE-2021-28918 Vulnerability in npm package netmask

CVE-2022-24897 Vulnerability in maven package org.xwiki.commons:xwiki-commons-velocity

Severity

High

Classification

CWE-668 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Exploit Issue Tracking