Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.8
CVSSv3

CVE-2020-28498

Published: 02/02/2021 Updated: 08/02/2021
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.8 | Impact Score: 4 | Exploitability Score: 2.2
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Subscribe to Elliptic

Vulnerability Summary

The package elliptic prior to 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

elliptic project elliptic

Github Repositories

https://github.com/demining/Twist-Attack

In this article, we will implement a Twist Attack with an example and show how, using certain points on the secp256k1 elliptic curve, we can get partial private key values ​​and restore a Bitcoin Wallet within 5-15 minutes using “Sagemath pollard rho function: (discrete_log_rho)” and “ Chinese Remainder Theorem” .

Twist Attack Tutorial: youtube/S_ZUcM2cD8I Tutorial: cryptodeeptechru/twist-attack Not so long ago, the elliptic (654) package for standard elliptic curves was vulnerable to various attacks , one of which is the Twist Attack  The cryptographic problem was in the implementation of secp256

References

CWE-327https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.mdhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1069836https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3fhttps://nvd.nist.govhttps://github.com/demining/Twist-Attack
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-29895blind SQL injectionCVE-2024-5064CVE-2023-52677CVE-2023-52682CVE-2024-30051CVE-2024-35849remote attackersremote
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook