What is CVE-2016-9121?

CVE-2016-9121 is a critical-severity vulnerability in Go-jose_project Go-jose, classified under Inadequate Encryption Strength. CVSS score: 9.1/10. Published 2017-03-28.

How severe is CVE-2016-9121?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Vulnerability in Go-jose_project Go-jose

CVE-2016-9121

go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same cur…

EPSS: 0.002 (40.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.

Affected products

Go-jose_project Go-jose
N/a Go Jose All Versions Before 1.0.4 — versions Go JOSE All versions before 1.0.4

Weakness classification (CWE)

CWE-326 — Inadequate Encryption Strength

References

support@hackerone.com (Patch, Third Party Advisory, x_refsource_MISC, Issue Tracking)
support@hackerone.com (Permissions Required, x_refsource_MISC)
support@hackerone.com (Patch, Mailing List, Third Party Advisory, x_refsource_MISC)

Frequently asked questions

What is CVE-2016-9121?: CVE-2016-9121 is a critical-severity vulnerability in Go-jose_project Go-jose, classified under Inadequate Encryption Strength. CVSS score: 9.1/10. Published 2017-03-28.
How severe is CVE-2016-9121?: Critical severity. CVSS v3 base score is 9.1 out of 10.