Improper Handling of Length Parameter Inconsistency
CVE-2024-42460
Summary
In elliptic package versions 2.0.0 through 6.5.6 are vulnerable to Improper Handling of Length Parameter Inconsistency. In the elliptic package for Node.js, "ECDSA" signature malleability occurs due to a missing check for whether the leading bit of "r" and "s" is zero. This has the same fix commit as CVE-2024-42461.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- LOW
- NONE
CWE-130 - Improper Handling of Length Parameter Inconsistency
The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
References
Advisory Timeline
- Published