Elliptic Curve Key Disclosure Affecting gopkg.in/square/go-jose.v1 package, versions <1.0.4
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GOPKGINSQUAREGOJOSEV1-50003
- published 16 Feb 2017
- disclosed 16 Feb 2017
- credit Unknown
Introduced: 16 Feb 2017
CVE-2016-9121 Open this link in a new tabHow to fix?
Upgrade gopkg.in/square/go-jose.v1
to version 1.0.4 or higher.
Overview
gopkg.in/square/go-jose.v1 is a Package that aims to provide an implementation of the Javascript Object Signing and Encryption set of standards.
Affected versions of this package are vulnerable to Elliptic Curve Key Disclosure. It suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making it vulnerable to an invalid curve attack.