The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
History

Tue, 05 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs elliptic
Weaknesses CWE-347
CPEs cpe:2.3:a:nodejs:elliptic:*:*:*:*:*:*:*:*
Vendors & Products Nodejs
Nodejs elliptic
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L'}


Wed, 16 Oct 2024 01:30:00 +0000

Type Values Removed Values Added
Title elliptic: ECDSA signature verification error may reject legitimate transactions
Weaknesses CWE-222
References
Metrics threat_severity

None

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Low


Tue, 15 Oct 2024 13:45:00 +0000

Type Values Removed Values Added
Description The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-10-15T00:00:00

Updated: 2024-11-05T18:36:35.085Z

Reserved: 2024-10-10T00:00:00

Link: CVE-2024-48948

cve-icon Vulnrichment

Updated: 2024-11-05T18:36:28.677Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-15T14:15:05.280

Modified: 2024-11-05T19:36:14.127

Link: CVE-2024-48948

cve-icon Redhat

Severity : Low

Publid Date: 2024-10-15T00:00:00Z

Links: CVE-2024-48948 - Bugzilla