CVE-2020-28498: Cryptographic Issues
First published: Tue Feb 02 2021(Updated: )
The npm package `elliptic` before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Credit: report@snyk.io report@snyk.io report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/elliptic | <6.5.4 | 6.5.4 |
| indutny Elliptic Node.js | <6.5.4 | |
| Elliptic | <6.5.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-28498
- https://github.com/indutny/elliptic/pull/244/commits
- https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f
- https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1069836
- https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899
- https://www.npmjs.com/package/elliptic
- https://github.com/advisories/GHSA-r9p9-mrjm-926w (Advisory)
Frequently Asked Questions
What is the severity of CVE-2020-28498?
CVE-2020-28498 has a medium severity rating due to its potential for cryptographic exploitation.
How do I fix CVE-2020-28498?
To fix CVE-2020-28498, update the elliptic package to version 6.5.4 or later.
What software is affected by CVE-2020-28498?
CVE-2020-28498 affects the elliptic package versions prior to 6.5.4.
What type of vulnerability is CVE-2020-28498?
CVE-2020-28498 is identified as a cryptographic issue related to the secp256k1 implementation.
Can CVE-2020-28498 lead to security breaches?
Yes, CVE-2020-28498 can lead to security breaches if the public key point is not properly validated.
- collector/github-advisory-latest
- alias/GHSA-r9p9-mrjm-926w
- alias/CVE-2020-28498
- collector/github-advisory
- agent/references
- agent/type
- agent/title
- agent/weakness
- agent/remedy
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/event
- agent/first-publish-date
- agent/author
- agent/last-modified-date
- agent/trending
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- package-manager/npm
- vendor/elliptic project
- canonical/indutny elliptic node.js
- vendor/indutny
- canonical/elliptic