Sign-up

ID

VAR-201806-0161


CVE

CVE-2017-16007


TITLE

node-jose Vulnerable to information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2017-013768

DESCRIPTION

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used. node-jose Contains information disclosure vulnerabilities and key management errors.Information may be obtained. There is a security vulnerability in node-jose versions prior to 0.9.3. An attacker could exploit this vulnerability to obtain sensitive information

Trust: 1.8

sources: NVD: CVE-2017-16007 // JVNDB: JVNDB-2017-013768 // VULHUB: VHN-106886 // VULMON: CVE-2017-16007

AFFECTED PRODUCTS

vendor:ciscomodel:node-josescope:ltversion:0.9.3

Trust: 1.8

sources: JVNDB: JVNDB-2017-013768 // NVD: CVE-2017-16007

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-16007
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-16007
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201806-202
value: MEDIUM

Trust: 0.6

VULHUB: VHN-106886
value: MEDIUM

Trust: 0.1

VULMON: CVE-2017-16007
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-16007
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-106886
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-16007
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-106886 // VULMON: CVE-2017-16007 // JVNDB: JVNDB-2017-013768 // CNNVD: CNNVD-201806-202 // NVD: CVE-2017-16007

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-320

Trust: 0.9

sources: VULHUB: VHN-106886 // JVNDB: JVNDB-2017-013768 // NVD: CVE-2017-16007

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-202

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201806-202

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-013768

PATCH
title:node-joseurl:https://github.com/cisco/node-jose
Trust: 0.8
title:node-jose Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=80541
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-013768 // 
            
            
            
            CNNVD: CNNVD-201806-202

EXTERNAL IDS
db:NVDid:CVE-2017-16007
Trust: 2.6
db:JVNDBid:JVNDB-2017-013768
Trust: 0.8
db:CNNVDid:CNNVD-201806-202
Trust: 0.7
db:VULHUBid:VHN-106886
Trust: 0.1
db:VULMONid:CVE-2017-16007
Trust: 0.1
sources:
            
            
            VULHUB: VHN-106886 // 
            
            
            
            VULMON: CVE-2017-16007 // 
            
            
            
            JVNDB: JVNDB-2017-013768 // 
            
            
            
            CNNVD: CNNVD-201806-202 // 
            
            
            
            NVD: CVE-2017-16007

REFERENCES
url:https://gist.github.com/asanso/fa25685348051ef6a28d49aa0f27a4ae
Trust: 2.6
url:http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html
Trust: 1.8
url:https://github.com/cisco/node-jose
Trust: 1.8
url:https://nodesecurity.io/advisories/324
Trust: 1.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16007
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-16007
Trust: 0.8
url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-nimbus-jose-jwt-affect-ibm-spectrum-symphony/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-three-vulnerabilities-in-nimbus-josejwt-affect-ibm-spectrum-conductor/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-106886 // 
            
            
            
            VULMON: CVE-2017-16007 // 
            
            
            
            JVNDB: JVNDB-2017-013768 // 
            
            
            
            CNNVD: CNNVD-201806-202 // 
            
            
            
            NVD: CVE-2017-16007

SOURCES
db:VULHUBid:VHN-106886
db:VULMONid:CVE-2017-16007
db:JVNDBid:JVNDB-2017-013768
db:CNNVDid:CNNVD-201806-202
db:NVDid:CVE-2017-16007

LAST UPDATE DATE
2024-11-23T23:12:07.600000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-106886date:2019-10-09T00:00:00
db:VULMONid:CVE-2017-16007date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2017-013768date:2018-08-09T00:00:00
db:CNNVDid:CNNVD-201806-202date:2020-06-04T00:00:00
db:NVDid:CVE-2017-16007date:2024-11-21T03:15:39.300

SOURCES RELEASE DATE
db:VULHUBid:VHN-106886date:2018-06-04T00:00:00
db:VULMONid:CVE-2017-16007date:2018-06-04T00:00:00
db:JVNDBid:JVNDB-2017-013768date:2018-08-09T00:00:00
db:CNNVDid:CNNVD-201806-202date:2018-06-04T00:00:00
db:NVDid:CVE-2017-16007date:2018-06-04T19:29:00.617