You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: /aws-node-typescript-nest/package.json
Path to vulnerable library: /aws-node-typescript-nest/node_modules/elliptic/package.json,/aws-node-github-check/node_modules/elliptic/package.json,/aws-node-fullstack/frontend/node_modules/elliptic/package.json
Path to dependency file: /aws-node-vue-nuxt-ssr/package.json
Path to vulnerable library: /aws-node-vue-nuxt-ssr/node_modules/elliptic/package.json,/azure-node-telegram-bot/node_modules/elliptic/package.json,/aws-node-signed-uploads/node_modules/elliptic/package.json,/aws-node-auth0-cognito-custom-authorizers-api/node_modules/elliptic/package.json,/aws-node-dynamic-image-resizer/node_modules/elliptic/package.json,/azure-node-line-bot/node_modules/elliptic/package.json
Path to dependency file: /aws-node-typescript-sqs-standard/package.json
Path to vulnerable library: /aws-node-typescript-sqs-standard/node_modules/elliptic/package.json,/aws-node-typescript-kinesis/node_modules/elliptic/package.json
The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
mend-bolt-for-githubbot
changed the title
CVE-2024-48948 (Medium) detected in multiple libraries
CVE-2024-48948 (High) detected in multiple libraries
Oct 20, 2024
mend-bolt-for-githubbot
changed the title
CVE-2024-48948 (High) detected in multiple libraries
CVE-2024-48948 (Medium) detected in multiple libraries
Nov 7, 2024
CVE-2024-48948 - Medium Severity Vulnerability
Vulnerable Libraries - elliptic-6.4.1.tgz, elliptic-6.5.4.tgz, elliptic-6.5.1.tgz, elliptic-6.4.0.tgz, elliptic-6.5.3.tgz
elliptic-6.4.1.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz
Path to dependency file: /aws-node-typescript-nest/package.json
Path to vulnerable library: /aws-node-typescript-nest/node_modules/elliptic/package.json,/aws-node-github-check/node_modules/elliptic/package.json,/aws-node-fullstack/frontend/node_modules/elliptic/package.json
Dependency Hierarchy:
elliptic-6.5.4.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz
Path to dependency file: /aws-node-vue-nuxt-ssr/package.json
Path to vulnerable library: /aws-node-vue-nuxt-ssr/node_modules/elliptic/package.json,/azure-node-telegram-bot/node_modules/elliptic/package.json,/aws-node-signed-uploads/node_modules/elliptic/package.json,/aws-node-auth0-cognito-custom-authorizers-api/node_modules/elliptic/package.json,/aws-node-dynamic-image-resizer/node_modules/elliptic/package.json,/azure-node-line-bot/node_modules/elliptic/package.json
Dependency Hierarchy:
elliptic-6.5.1.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.1.tgz
Path to dependency file: /aws-node-typescript-sqs-standard/package.json
Path to vulnerable library: /aws-node-typescript-sqs-standard/node_modules/elliptic/package.json,/aws-node-typescript-kinesis/node_modules/elliptic/package.json
Dependency Hierarchy:
elliptic-6.4.0.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Path to dependency file: /aws-node-oauth-dropbox-api/package.json
Path to vulnerable library: /aws-node-oauth-dropbox-api/node_modules/elliptic/package.json
Dependency Hierarchy:
elliptic-6.5.3.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz
Path to dependency file: /azure-node-typescript-servicebus-trigger-endpoint/package.json
Path to vulnerable library: /azure-node-typescript-servicebus-trigger-endpoint/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: dcbe4aefe4b3685f4b15493a01db0f19b118a0c4
Found in base branch: master
Vulnerability Details
The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
Publish Date: 2024-10-15
URL: CVE-2024-48948
CVSS 3 Score Details (4.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-fc9h-whq2-v747
Release Date: 2024-10-28
Fix Resolution: elliptic - 6.6.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: