Exposure of Sensitive Information to an Unauthorized Actor in elliptic

Cx88b46a98-47a5

elliptic
org.webjars.npm:elliptic

High

9/10

Summary

The elliptic package is a plain JavaScript implementation of elliptic-curve cryptography. Versions of elliptic package prior to 6.6.1 are vulnerable to Information Exposure due to the `sign` function, which enables an attacker to extract the private key from an ECDSA signature by signing a specially crafted input. A single maliciously crafted signed message can allow the complete extraction of the private key for any known message-signature pair.

Attack Complexity: LOW
Attack Vector: NETWORK
User Interaction: NONE
Privileges Required: NONE

CWE-200 - Information Exposure

An information exposure vulnerability is categorized as an information flow (IF) weakness, which can potentially allow unauthorized access to otherwise classified information in the application, such as confidential personal information (demographics, financials, health records, etc.), business secrets, and the application's internal environment.

References

Advisory

Advisory Timeline

Published Nov 13, 2014

Exposure of Sensitive Information to an Unauthorized Actor in elliptic

Cx88b46a98-47a5

Summary

CWE-200 - Information Exposure

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS