CVE-2016-9121 in go-joseinfo

Summary

go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making it vulnerable to an invalid curve attack.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Reservation

10/31/2016

Disclosure

03/27/2017

Moderation

VulDB entry created

Entries

VDB-98955 (1)

CPE

ready

CWE

CWE-326 (Confirmed)

CVSS

7.3

EPSS

0.00188

Activities

Very Low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2016-9121
NVD	https://nvd.nist.gov/vuln/detail/CVE-2016-9121
CVE Details	https://www.cvedetails.com/cve/CVE-2016-9121/

◂ Previous Overview Next ▸

Do you need the next level of professionalism?

Upgrade your account now!