[GitHub] [High] Signature Malleabillity in elliptic (due 9/25/20)

[lbeaufort]

Remediation
Upgrade elliptic to version 6.5.3 or later. For example:

"dependencies": {
  "elliptic": ">=6.5.3"
}

or…

"devDependencies": {
  "elliptic": ">=6.5.3"
}

Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2020-13822
high severity
Vulnerable versions: < 6.5.3
Patched version: 6.5.3
The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Action item:

• Update the package and see if it breaks
• If there are any errors, make sure it's a vulnerability before working on those errors

Completion criteria:

• Vulnerability is explored and addresses as appropriate

[jason-upchurch]

This vulnerability is in a dev dependency thus not flagged by snyk. To reproduce

snyk test --file=package-lock.json --dev

The typical snyk test --file=package-lock will not pick it up as a vulnerability.

Will patch and commit new package-lock.json after testing.