Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
secp256k1-node vulnerable to private key extraction over ECDH
Vulnerability Description
secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In `elliptic`-based version, `loadUncompressedPublicKey` has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, `loadCompressedPublicKey` is missing that check. That allows the attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power. Other operations on public keys are also affected, including e.g. `publicKeyVerify()` incorrectly returning `true` on those invalid keys, and e.g. `publicKeyTweakMul()` also returning predictable outcomes allowing to restore the tweak. Versions 5.0.1, 4.0.4, and 3.8.1 contain a fix for the issue.
CVSS Information
N/A
Vulnerability Type
完整性检查值验证不恰当
Vulnerability Title
secp256k1-node 安全漏洞
Vulnerability Description
secp256k1-node是cryptocoinjs开源的一个库。 secp256k1-node存在安全漏洞,该漏洞源于loadCompressedPublicKey缺少检查,导致攻击者可以恢复私钥。受影响版本如下:5.0.0版本、4.0.3版本、4.0.2版本、4.0.1版本、4.0.0版本和3.8.0及之前版本。
CVSS Information
N/A
Vulnerability Type
N/A