漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
secp256k1-node vulnerable to private key extraction over ECDH
Vulnerability Description
secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In `elliptic`-based version, `loadUncompressedPublicKey` has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, `loadCompressedPublicKey` is missing that check. That allows the attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power. Other operations on public keys are also affected, including e.g. `publicKeyVerify()` incorrectly returning `true` on those invalid keys, and e.g. `publicKeyTweakMul()` also returning predictable outcomes allowing to restore the tweak. Versions 5.0.1, 4.0.4, and 3.8.1 contain a fix for the issue.
CVSS Information
N/A
Vulnerability Type
完整性检查值验证不恰当
Vulnerability Title
secp256k1-node 安全漏洞
Vulnerability Description
secp256k1-node是cryptocoinjs开源的一个库。 secp256k1-node存在安全漏洞,该漏洞源于loadCompressedPublicKey缺少检查,导致攻击者可以恢复私钥。受影响版本如下:5.0.0版本、4.0.3版本、4.0.2版本、4.0.1版本、4.0.0版本和3.8.0及之前版本。
CVSS Information
N/A
Vulnerability Type
N/A