Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs. The dhJavaEc() function directly returns the raw x-coordinate of the scalar multiplication result (no hashing), providing a plaintext oracle without requiring any decryption feedback.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
密码学签名的验证不恰当
Vulnerability Title
sjcl 安全漏洞
Vulnerability Description
sjcl是bitwiseshiftleft个人开发者的一个已弃用的JavaScript加密库。 sjcl存在安全漏洞,该漏洞源于sjcl.ecc.basicKey.publicKey()缺少点在线验证,可能导致攻击者通过发送特制的离曲线公钥并观察ECDH输出来恢复受害者的ECDH私钥。
CVSS Information
N/A
Vulnerability Type
N/A