ECDH-ES Algorithm Vulnerability in Go-Jose by Square
CVE-2016-9121

9.1CRITICAL

Key Information:

Vendor

Go-jose Project

Status
Go Jose All Versions Before 1.0.4
Vendor
CVE Published:
28 March 2017

What is CVE-2016-9121?

Go-Jose, a library by Square, is affected by a significant security flaw in its ECDH-ES algorithm. This vulnerability arises from the library's failure to verify whether the public key received in a message is from the same elliptic curve as the static private key of the receiver. As a result, an attacker could exploit this oversight by using an invalid curve, enabling them to derive the shared key utilized for encrypted communications. This susceptibility emphasizes the importance of strict key validation to maintain cryptographic integrity.

Affected Version(s)

Go JOSE All before 1.0.4 Go JOSE All versions before 1.0.4

References

https://github.com/square/go-jose/commit/c7581939a3656bb6...
x_refsource_MISC
https://hackerone.com/reports/164590
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2016/11/03/1
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.