CVE-2017-16007 - AskarLabs CVE Database

CVE-2017-16007

Vendor Hackerone

Product node-jose node module

Weakness CWE-200 · Info exposure

Published June 4, 2018

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.

Key dates

02Disclosure timeline

June 4, 2018 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2017-16007

Related vulnerabilities

04Related CVE

CVE-2022-31043 Fix failure to strip Authorization header on HTTP downgrade in Guzzle CVE-2024-13568 Fluent Support – Helpdesk & Customer Support Ticket System <= 1.8.5 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory CVE-2025-8866 CVE-2024-32967 Zitadel exposes internal database user name and host information CVE-2024-3780 Information exposure vulnerability on Technicolor CGA2121