You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
jwk-to-pem-2.0.5.tgz (Root Library)
❌ elliptic-6.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
jwk-to-pem-2.0.5.tgz (Root Library)
❌ elliptic-6.5.4.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
mend-bolt-for-githubbot
changed the title
jwk-to-pem-2.0.5.tgz: 2 vulnerabilities (highest severity is: 5.3)
jwk-to-pem-2.0.5.tgz: 3 vulnerabilities (highest severity is: 5.3)
Aug 5, 2024
mend-bolt-for-githubbot
changed the title
jwk-to-pem-2.0.5.tgz: 3 vulnerabilities (highest severity is: 5.3)
jwk-to-pem-2.0.5.tgz: 3 vulnerabilities (highest severity is: 9.1)
Aug 16, 2024
mend-bolt-for-githubbot
changed the title
jwk-to-pem-2.0.5.tgz: 3 vulnerabilities (highest severity is: 9.1)
jwk-to-pem-2.0.5.tgz: 4 vulnerabilities (highest severity is: 9.1)
Oct 10, 2024
mend-bolt-for-githubbot
changed the title
jwk-to-pem-2.0.5.tgz: 4 vulnerabilities (highest severity is: 9.1)
jwk-to-pem-2.0.5.tgz: 5 vulnerabilities (highest severity is: 9.1)
Oct 20, 2024
mend-bolt-for-githubbot
changed the title
jwk-to-pem-2.0.5.tgz: 5 vulnerabilities (highest severity is: 9.1)
jwk-to-pem-2.0.5.tgz: 2 vulnerabilities (highest severity is: 9.1)
Oct 28, 2024
Vulnerable Library - jwk-to-pem-2.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-48949
Vulnerable Library - elliptic-6.5.4.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.
Publish Date: 2024-10-10
URL: CVE-2024-48949
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-48949
Release Date: 2024-10-10
Fix Resolution (elliptic): 6.5.6
Direct dependency fix Resolution (jwk-to-pem): 2.0.6
Step up your Open Source Security Game with Mend here
CVE-2024-48948
Vulnerable Library - elliptic-6.5.4.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
Publish Date: 2024-10-15
URL: CVE-2024-48948
CVSS 3 Score Details (4.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-fc9h-whq2-v747
Release Date: 2024-10-15
Fix Resolution: elliptic - 6.6.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: