acronym-decoder icon indicating copy to clipboard operation
acronym-decoder copied to clipboard
verified publisher icon capitalone

crypto-browserify-3.12.0.tgz: 3 vulnerabilities (highest severity is: 9.1)

Open mend-for-github-com[bot] opened this issue 2 years ago • 2 comments

Vulnerable Library - crypto-browserify-3.12.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (crypto-browserify version) Remediation Possible**
CVE-2024-42461 Critical 9.1 elliptic-6.5.4.tgz Transitive N/A*
CVE-2024-42460 Medium 5.3 elliptic-6.5.4.tgz Transitive N/A*
CVE-2024-42459 Medium 5.3 elliptic-6.5.4.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-42461

Vulnerable Library - elliptic-6.5.4.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • crypto-browserify-3.12.0.tgz (Root Library)
    • create-ecdh-4.0.4.tgz
      • :x: elliptic-6.5.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.

Publish Date: 2024-08-02

URL: CVE-2024-42461

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

CVE-2024-42460

Vulnerable Library - elliptic-6.5.4.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • crypto-browserify-3.12.0.tgz (Root Library)
    • create-ecdh-4.0.4.tgz
      • :x: elliptic-6.5.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

Publish Date: 2024-08-02

URL: CVE-2024-42460

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-08-02

Fix Resolution: elliptic - 6.5.7

CVE-2024-42459

Vulnerable Library - elliptic-6.5.4.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • crypto-browserify-3.12.0.tgz (Root Library)
    • create-ecdh-4.0.4.tgz
      • :x: elliptic-6.5.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.

Publish Date: 2024-08-02

URL: CVE-2024-42459

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

mend-for-github-com[bot] avatar Dec 05 '23 01:12 mend-for-github-com[bot]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar May 16 '24 16:05 mend-for-github-com[bot]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] avatar Aug 04 '24 12:08 mend-for-github-com[bot]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Oct 10 '24 19:10 mend-for-github-com[bot]