Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment
Vulnerability Description
tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7.
CVSS Information
N/A
Vulnerability Type
不充分的凭证保护机制
Vulnerability Title
tiny-secp256k1 安全漏洞
Vulnerability Description
tiny-secp256k1是bitcoinjs开源的一个包装器。 tiny-secp256k1 1.1.7之前版本存在安全漏洞,该漏洞源于签名恶意JSON可字符串化对象时可能泄露私钥,可能导致私钥提取。
CVSS Information
N/A
Vulnerability Type
N/A