Candidate: CVE-2020-28498
PublicDate: 2021-02-02 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
 https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md
 https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f
 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1069836
 https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899
Description:
 The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues
 via the secp256k1 implementation in elliptic/ec/key.js. There is no check
 to confirm that the public key point passed into the derive function
 actually exists on the secp256k1 curve. This results in the potential for
 the private key used in this implementation to be revealed after a number
 of ECDH operations are performed.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N [6.8 MEDIUM]


Patches_node-elliptic:
upstream_node-elliptic: needs-triage
precise/esm_node-elliptic: DNE
trusty_node-elliptic: ignored (out of standard support)
trusty/esm_node-elliptic: DNE
xenial_node-elliptic: DNE
bionic_node-elliptic: needs-triage
focal_node-elliptic: needs-triage
groovy_node-elliptic: ignored (reached end-of-life)
hirsute_node-elliptic: ignored (reached end-of-life)
impish_node-elliptic: needs-triage
jammy_node-elliptic: needs-triage
devel_node-elliptic: needs-triage