CVE-2020-1026

A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the libraryâ€™s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a serverâ€™s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka 'MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability'.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026	Patch Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:microsoft:research_javascript_cryptography_library:1.4:*:*:*:*:*:*:*

History

21 Nov 2024, 05:09

Type	Values Removed	Values Added
References	~~() https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026 - Patch, Vendor Advisory~~	() https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026 - Patch, Vendor Advisory

Information

Published : 2020-04-15 15:15

Updated : 2024-11-21 05:09

NVD link : CVE-2020-1026

Mitre link : CVE-2020-1026

CVE.ORG link : CVE-2020-1026

JSON object : View

Products Affected

microsoft

research_javascript_cryptography_library

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2020-1026", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-04-15T15:15:20.967", "references": [{"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026", "tags": ["Patch", "Vendor Advisory"], "source": "secure@microsoft.com"}, {"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u00e2\u20ac\u2122s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u00e2\u20ac\u2122s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka 'MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability'."}, {"lang": "es", "value": "Hay una vulnerabilidad de Omisi\u00f3n de la Caracter\u00edstica de Seguridad en la MSR JavaScript Cryptography Library que es causada por m\u00faltiples bugs en la implementaci\u00f3n de library\u00c3\u00a2\u00e2\u201a\u00ac\u00e2\u201e\u00a2s Elliptic Curve Cryptography (ECC). Un atacante podr\u00eda abusar de estos bugs para obtener informaci\u00f3n sobre la clave privada de un servidor (un ataque de filtrado de claves) o crear una firma ECDSA no v\u00e1lida que, no obstante, se considere v\u00e1lida. La actualizaci\u00f3n de la seguridad aborda la vulnerabilidad al corregir los bugs revelados en la implementaci\u00f3n de la ECC, tambi\u00e9n se conoce como \"MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability\"."}], "lastModified": "2024-11-21T05:09:35.233", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:research_javascript_cryptography_library:1.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FCC764DA-F8E4-482C-824B-93FCFCD1C2F6"}], "operator": "OR"}]}], "sourceIdentifier": "secure@microsoft.com"}