data/reports/GO-2020-0010.yaml

id: GO-2020-0010
modules:
    - module: github.com/square/go-jose
      versions:
        - fixed: 1.0.4
      vulnerable_at: 1.0.3
      packages:
        - package: github.com/square/go-jose/cipher
          symbols:
            - DeriveECDHES
        - package: github.com/square/go-jose
          symbols:
            - JsonWebEncryption.Decrypt
            - rawJsonWebKey.ecPublicKey
            - ecDecrypterSigner.decryptKey
          derived_symbols:
            - JsonWebKey.UnmarshalJSON
summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
description: |
    When using ECDH-ES an attacker can mount an invalid curve attack during
    decryption as the supplied public key is not checked to be on the same
    curve as the receivers private key.
published: 2021-04-14T20:04:52Z
cves:
    - CVE-2016-9121
ghsas:
    - GHSA-86r9-39j9-99wp
credits:
    - Quan Nguyen from Google's Information Security Engineering Team
references:
    - fix: https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507
    - web: https://www.openwall.com/lists/oss-security/2016/11/03/1