CVE-2024-42460

Aug. 2, 2024, 4:35 p.m.

5.3
Medium

Description

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

Product(s) Impacted

Product Versions
Node.js Elliptic package
  • ['6.5.6']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-130
Improper Handling of Length Parameter Inconsistency
The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

References

https://github.com/indutny/elliptic/pull/317

Tags

cve@mitre.org
CWE-130
2024-08-02
CVE-2024-42460

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: Aug. 2, 2024, 7:16 a.m.
Last Modified: Aug. 2, 2024, 4:35 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.