blob: d7bcf4311f501df43000df75fbfa4603633c5927 [file] [log] [blame]
id: GO-2020-0010
modules:
- module: github.com/square/go-jose
versions:
- fixed: 1.0.4
vulnerable_at: 1.0.3
packages:
- package: github.com/square/go-jose/cipher
symbols:
- DeriveECDHES
- package: github.com/square/go-jose
symbols:
- JsonWebEncryption.Decrypt
- rawJsonWebKey.ecPublicKey
- ecDecrypterSigner.decryptKey
derived_symbols:
- JsonWebKey.UnmarshalJSON
summary: Elliptic curve key disclosure in github.com/square/go-jose
description: |-
When using ECDH-ES an attacker can mount an invalid curve attack during
decryption as the supplied public key is not checked to be on the same curve as
the receivers private key.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2016-9121
ghsas:
- GHSA-86r9-39j9-99wp
credits:
- Quan Nguyen from Google's Information Security Engineering Team
references:
- fix: https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507
- web: https://www.openwall.com/lists/oss-security/2016/11/03/1
review_status: REVIEWED