CVE-2022-41340 - Vulnerability Details - OpenCVE

ReportizFlow

The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Secp256k1-js Project	Secp256k1-js

Configuration 1 [-]

cpe:2.3:a:secp256k1-js_project:secp256k1-js:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/lionello/secp256k1-js/commit/302800f0370b42e360a33774bb808274ac729c2e
https://github.com/lionello/secp256k1-js/compare/1.0.1...1.1.0
https://github.com/lionello/secp256k1-js/issues/11
https://www.npmjs.com/package/%40lionello/secp256k1-js

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-09-24T18:22:27

Updated: 2024-08-03T12:42:45.436Z

Reserved: 2022-09-24T00:00:00

Link: CVE-2022-41340

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-24T19:15:08.960

Modified: 2024-11-21T07:23:05.067

Link: CVE-2022-41340

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-24T18:22:27", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/lionello/secp256k1-js/issues/11"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/lionello/secp256k1-js/commit/302800f0370b42e360a33774bb808274ac729c2e"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/lionello/secp256k1-js/compare/1.0.1...1.1.0"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40lionello/secp256k1-js"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2022-41340", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/lionello/secp256k1-js/issues/11", "refsource": "MISC", "url": "https://github.com/lionello/secp256k1-js/issues/11"}, {"name": "https://github.com/lionello/secp256k1-js/commit/302800f0370b42e360a33774bb808274ac729c2e", "refsource": "MISC", "url": "https://github.com/lionello/secp256k1-js/commit/302800f0370b42e360a33774bb808274ac729c2e"}, {"name": "https://github.com/lionello/secp256k1-js/compare/1.0.1...1.1.0", "refsource": "MISC", "url": "https://github.com/lionello/secp256k1-js/compare/1.0.1...1.1.0"}, {"name": "https://www.npmjs.com/package/@lionello/secp256k1-js", "refsource": "MISC", "url": "https://www.npmjs.com/package/@lionello/secp256k1-js"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:42:45.436Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/lionello/secp256k1-js/issues/11"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/lionello/secp256k1-js/commit/302800f0370b42e360a33774bb808274ac729c2e"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/lionello/secp256k1-js/compare/1.0.1...1.1.0"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40lionello/secp256k1-js"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-41340", "datePublished": "2022-09-24T18:22:27", "dateReserved": "2022-09-24T00:00:00", "dateUpdated": "2024-08-03T12:42:45.436Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:secp256k1-js_project:secp256k1-js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F018F199-A11C-4DA8-9B5A-571D1EEA160A", "versionEndExcluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery."}, {"lang": "es", "value": "El paquete secp256k1-js versiones anteriores a 1.1.0 para Node.js implementa ECDSA sin la comprobaci\u00f3n de r y s requerida, conllevando a una falsificaci\u00f3n de firmas.\n"}], "id": "CVE-2022-41340", "lastModified": "2024-11-21T07:23:05.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-09-24T19:15:08.960", "references": [{"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/lionello/secp256k1-js/commit/302800f0370b42e360a33774bb808274ac729c2e"}, {"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/lionello/secp256k1-js/compare/1.0.1...1.1.0"}, {"source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/lionello/secp256k1-js/issues/11"}, {"source": "[email protected]", "url": "https://www.npmjs.com/package/%40lionello/secp256k1-js"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/lionello/secp256k1-js/commit/302800f0370b42e360a33774bb808274ac729c2e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/lionello/secp256k1-js/compare/1.0.1...1.1.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/lionello/secp256k1-js/issues/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.npmjs.com/package/%40lionello/secp256k1-js"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "[email protected]", "type": "Primary"}]}