漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment
Vulnerability Description
tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7.
CVSS Information
N/A
Vulnerability Type
不充分的凭证保护机制
Vulnerability Title
tiny-secp256k1 安全漏洞
Vulnerability Description
tiny-secp256k1是bitcoinjs开源的一个包装器。 tiny-secp256k1 1.1.7之前版本存在安全漏洞,该漏洞源于签名恶意JSON可字符串化对象时可能泄露私钥,可能导致私钥提取。
CVSS Information
N/A
Vulnerability Type
N/A