Closed rastorc3v closed 7 months ago
Semgrep also calls this out with the following information:
Affected versions of browserify-sign are vulnerable to Improper Verification Of Cryptographic Signature. The vulnerability lies in the checkValue function incorrectly verifying the upper bounds of the
r
ands
components in a signature, enabling attackers to manipulate thes
component by setting it to the prime numberq
, thereby simulating a zero value fors
and potentially resulting in the unauthorized acceptance of maliciously signed messages during signature verification.
@mkilpatrick that sounds like something different - if elliptic
has a vulnerability, then that package needs to fix it. The CVE you reference was fixed in browserify-sign 4-5 months ago (https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30) and is in v4.2.2 of that package.
if elliptic
has a vulnerability, then that package needs to fix it - if there's a specific CVE, please link it.
Current browserify-sign version has elliptic in dependency which contains security issue. Please update browserify-sign to fix it.