blob: 82c14cf4fea4bf975fc4c72caef0fe7b17ab1db9 [file] [log] [blame]
packages:
- module: github.com/square/go-jose
package: github.com/square/go-jose/cipher
symbols:
- DeriveECDHES
- ecDecrypterSigner.decryptKey
- rawJsonWebKey.ecPublicKey
versions:
- fixed: 0.0.0-20160831185616-c7581939a365
- module: github.com/square/go-jose
symbols:
- JsonWebEncryption.Decrypt
description: |
When using ECDH-ES an attacker can mount an invalid curve attack during
decryption as the supplied public key is not checked to be on the same
curve as the receivers private key.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2016-9121
ghsas:
- GHSA-86r9-39j9-99wp
credit: Quan Nguyen from Google's Information Security Engineering Team
links:
commit: https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507
context:
- https://www.openwall.com/lists/oss-security/2016/11/03/1