data/reports/GO-2020-0010.yaml - vulndb - Git at Google

 modules:
   - module: github.com/square/go-jose
     versions:
       - fixed: 1.0.4
     vulnerable_at: 1.0.3
     packages:
       - package: github.com/square/go-jose/cipher
         symbols:
           - DeriveECDHES
       - package: github.com/square/go-jose
         symbols:
           - JsonWebEncryption.Decrypt
           - rawJsonWebKey.ecPublicKey
           - ecDecrypterSigner.decryptKey
         derived_symbols:
           - JsonWebKey.UnmarshalJSON
 description: |
     When using ECDH-ES an attacker can mount an invalid curve attack during
     decryption as the supplied public key is not checked to be on the same
     curve as the receivers private key.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2016-9121
 ghsas:
   - GHSA-86r9-39j9-99wp
 credit: Quan Nguyen from Google's Information Security Engineering Team
 references:
   - fix: https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507
   - web: https://www.openwall.com/lists/oss-security/2016/11/03/1
	modules:
	- module: github.com/square/go-jose
	versions:
	- fixed: 1.0.4
	vulnerable_at: 1.0.3
	packages:
	- package: github.com/square/go-jose/cipher
	symbols:
	- DeriveECDHES
	- package: github.com/square/go-jose
	symbols:
	- JsonWebEncryption.Decrypt
	- rawJsonWebKey.ecPublicKey
	- ecDecrypterSigner.decryptKey
	derived_symbols:
	- JsonWebKey.UnmarshalJSON
	description: \|
	When using ECDH-ES an attacker can mount an invalid curve attack during
	decryption as the supplied public key is not checked to be on the same
	curve as the receivers private key.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2016-9121
	ghsas:
	- GHSA-86r9-39j9-99wp
	credit: Quan Nguyen from Google's Information Security Engineering Team
	references:
	- fix: https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507
	- web: https://www.openwall.com/lists/oss-security/2016/11/03/1