CVE-2024-48948

SUSE Security Advisory - SUSE-SU-2024:3771-1

Severity Score

4.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

This update for pgadmin4 fixes the following issues. Fixed socket.io: unhandled 'error' event. Fixed requirejs: prototype pollution via function config. Fixed requirejs: prototype pollution via function s.contexts._.configure. Fixed axios: server-side request forgery due to requests for path relative URLs being processed as protocol relative URLs in axios. Fixed micromatch: vulnerable to Regular Expression Denial of Service. Fixed braces: fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. Fixed webpack: DOM clobbering gadget in AutoPublicPathRuntimeModule could lead to XSS Fixed elliptic: ECDSA signature verification error due to leading zero may reject legitimate transactions in elliptic. Fixed elliptic: Missing Validation in Elliptic's EDDSA Signature Verification. Fixed OAuth2 issue that could lead to information leak.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Partial

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-10-10 CVE Reserved
2024-10-15 CVE Published
2024-12-20 CVE Updated
2025-07-11 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-347: Improper Verification of Cryptographic Signature

CAPEC

References (2)

URL	Tag	Source
https://github.com/indutny/elliptic/issues/321
https://github.com/indutny/elliptic/pull/322

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Indutny Search vendor "Indutny"		Elliptic Search vendor "Indutny" for product "Elliptic"				*		-		Affected
Nodejs Search vendor "Nodejs"		Elliptic Search vendor "Nodejs" for product "Elliptic"				*		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				*		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				*		-		Affected
Suse Search vendor "Suse"		Sle-module-python3 Search vendor "Suse" for product "Sle-module-python3"				*		-		Affected