reports/GO-2020-0010.toml - vulndb - Git at Google

 package = "github.com/square/go-jose/cipher"

 description = """
 When using ECDH-ES an attacker can mount an invalid curve attack during
 decryption as the supplied public key is not checked to be on the same
 curve as the recievers private key.
 """

 cve = "CVE-2016-9121"

 credit = "Quan Nguyen from Google's Information Security Engineering Team"

 symbols = ["DeriveECDHES", "ecDecrypterSigner.decryptKey", "rawJsonWebKey.ecPublicKey"]

 [[versions]]
 fixed = "v0.0.0-20160831185616-c7581939a365"

 [[additional_packages]]
 package = "github.com/square/go-jose"
 symbols = ["JsonWebEncryption.Decrypt"]

 [links]
 commit = "https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507"
 context = ["https://www.openwall.com/lists/oss-security/2016/11/03/1"]
	package = "github.com/square/go-jose/cipher"

	description = """
	When using ECDH-ES an attacker can mount an invalid curve attack during
	decryption as the supplied public key is not checked to be on the same
	curve as the recievers private key.
	"""

	cve = "CVE-2016-9121"

	credit = "Quan Nguyen from Google's Information Security Engineering Team"

	symbols = ["DeriveECDHES", "ecDecrypterSigner.decryptKey", "rawJsonWebKey.ecPublicKey"]

	[[versions]]
	fixed = "v0.0.0-20160831185616-c7581939a365"

	[[additional_packages]]
	package = "github.com/square/go-jose"
	symbols = ["JsonWebEncryption.Decrypt"]

	[links]
	commit = "https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507"
	context = ["https://www.openwall.com/lists/oss-security/2016/11/03/1"]