CVE-2020-1026 - OpenCVE

A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the libraryâ€™s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a serverâ€™s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka 'MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability'.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	Research Javascript Cryptography Library

Configuration 1 [-]

cpe:2.3:a:microsoft:research_javascript_cryptography_library:1.4:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026

History

No history.

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2020-04-15T15:13:28

Updated: 2024-08-04T06:25:01.084Z

Reserved: 2019-11-04T00:00:00

Link: CVE-2020-1026

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-04-15T15:15:20.967

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-1026

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Microsoft Research JavaScript Cryptography Library V1.4", "vendor": "Microsoft", "versions": [{"status": "affected", "version": "unspecified"}]}], "descriptions": [{"lang": "en", "value": "A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u00e2\u20ac\u2122s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u00e2\u20ac\u2122s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka 'MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability'."}], "problemTypes": [{"descriptions": [{"description": "Security Feature Bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-15T15:13:28", "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@microsoft.com", "ID": "CVE-2020-1026", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Microsoft Research JavaScript Cryptography Library V1.4", "version": {"version_data": [{"version_value": ""}]}}]}, "vendor_name": "Microsoft"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u00e2\u20ac\u2122s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u00e2\u20ac\u2122s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka 'MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability'."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Security Feature Bypass"}]}]}, "references": {"reference_data": [{"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026", "refsource": "MISC", "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T06:25:01.084Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026"}]}]}, "cveMetadata": {"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "assignerShortName": "microsoft", "cveId": "CVE-2020-1026", "datePublished": "2020-04-15T15:13:28", "dateReserved": "2019-11-04T00:00:00", "dateUpdated": "2024-08-04T06:25:01.084Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:research_javascript_cryptography_library:1.4:*:*:*:*:*:*:*", "matchCriteriaId": "FCC764DA-F8E4-482C-824B-93FCFCD1C2F6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u00e2\u20ac\u2122s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u00e2\u20ac\u2122s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka 'MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability'."}, {"lang": "es", "value": "Hay una vulnerabilidad de Omisi\u00f3n de la Caracter\u00edstica de Seguridad en la MSR JavaScript Cryptography Library que es causada por m\u00faltiples bugs en la implementaci\u00f3n de library\u00c3\u00a2\u00e2\u201a\u00ac\u00e2\u201e\u00a2s Elliptic Curve Cryptography (ECC). Un atacante podr\u00eda abusar de estos bugs para obtener informaci\u00f3n sobre la clave privada de un servidor (un ataque de filtrado de claves) o crear una firma ECDSA no v\u00e1lida que, no obstante, se considere v\u00e1lida. La actualizaci\u00f3n de la seguridad aborda la vulnerabilidad al corregir los bugs revelados en la implementaci\u00f3n de la ECC, tambi\u00e9n se conoce como \"MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability\"."}], "id": "CVE-2020-1026", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-15T15:15:20.967", "references": [{"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}