Key Management Errors

CVE-2017-16007

Medium

5.9/10

Summary

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-320 - Key Management Errors

Weaknesses in this category are related to errors in the management of cryptographic keys.

References

Advisory
Advisory
Pull request
Blog
POC/Exploit

Advisory Timeline

Published Jun 04, 2018

Key Management Errors

CVE-2017-16007

Summary

CWE-320 - Key Management Errors

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS