cvelistv5 - cve-2020-1026

CVE-2020-1026 (GCVE-0-2020-1026)

Vulnerability from cvelistv5

Published

2020-04-15 15:13

Modified

2024-08-04 06:25

Severity ?

CWE

Security Feature Bypass

Summary

A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the libraryâ€™s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a serverâ€™s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka 'MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability'.

References

URL

Tags

	secure@microsoft.com	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026	Patch, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026	Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	Microsoft	Microsoft Research JavaScript Cryptography Library V1.4	Version: unspecified

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T06:25:01.084Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft Research JavaScript Cryptography Library V1.4",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "unspecified"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u00e2\u20ac\u2122s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u00e2\u20ac\u2122s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka \u0027MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability\u0027."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Security Feature Bypass",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-15T15:13:28",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2020-1026",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Microsoft Research JavaScript Cryptography Library V1.4",
                      "version": {
                        "version_data": [
                          {
                            "version_value": ""
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Microsoft"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u00e2\u20ac\u2122s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u00e2\u20ac\u2122s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka \u0027MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability\u0027."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Security Feature Bypass"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026",
              "refsource": "MISC",
              "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2020-1026",
    "datePublished": "2020-04-15T15:13:28",
    "dateReserved": "2019-11-04T00:00:00",
    "dateUpdated": "2024-08-04T06:25:01.084Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-1026\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2020-04-15T15:15:20.967\",\"lastModified\":\"2024-11-21T05:09:35.233\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u00e2\u20ac\u2122s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u00e2\u20ac\u2122s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka \u0027MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability\u0027.\"},{\"lang\":\"es\",\"value\":\"Hay una vulnerabilidad de Omisi\u00f3n de la Caracter\u00edstica de Seguridad en la MSR JavaScript Cryptography Library que es causada por m\u00faltiples bugs en la implementaci\u00f3n de library\u00c3\u00a2\u00e2\u201a\u00ac\u00e2\u201e\u00a2s Elliptic Curve Cryptography (ECC). Un atacante podr\u00eda abusar de estos bugs para obtener informaci\u00f3n sobre la clave privada de un servidor (un ataque de filtrado de claves) o crear una firma ECDSA no v\u00e1lida que, no obstante, se considere v\u00e1lida. La actualizaci\u00f3n de la seguridad aborda la vulnerabilidad al corregir los bugs revelados en la implementaci\u00f3n de la ECC, tambi\u00e9n se conoce como \\\"MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability\\\".\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-347\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:research_javascript_cryptography_library:1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FCC764DA-F8E4-482C-824B-93FCFCD1C2F6\"}]}]}],\"references\":[{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}

ghsa-9x9j-836w-8f55

Vulnerability from github

Published

2022-01-06 19:44

Modified

2021-10-20 22:19

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Incorrect Calculation in the MSR JavaScript Cryptography Library

Details

A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library's Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server's private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "msrcrypto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-1026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-682"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-25T19:19:10Z",
    "nvd_published_at": "2020-04-15T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u0027s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u0027s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka `MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability`.",
  "id": "GHSA-9x9j-836w-8f55",
  "modified": "2021-10-20T22:19:13Z",
  "published": "2022-01-06T19:44:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1026"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Calculation in the MSR JavaScript Cryptography Library"
}

fkie_cve-2020-1026

Vulnerability from fkie_nvd

Published

2020-04-15 15:15

Modified

2024-11-21 05:09

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	secure@microsoft.com	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026	Patch, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026	Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	microsoft	research_javascript_cryptography_library	1.4

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:research_javascript_cryptography_library:1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "FCC764DA-F8E4-482C-824B-93FCFCD1C2F6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u00e2\u20ac\u2122s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u00e2\u20ac\u2122s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka \u0027MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability\u0027."
    },
    {
      "lang": "es",
      "value": "Hay una vulnerabilidad de Omisi\u00f3n de la Caracter\u00edstica de Seguridad en la MSR JavaScript Cryptography Library que es causada por m\u00faltiples bugs en la implementaci\u00f3n de library\u00c3\u00a2\u00e2\u201a\u00ac\u00e2\u201e\u00a2s Elliptic Curve Cryptography (ECC). Un atacante podr\u00eda abusar de estos bugs para obtener informaci\u00f3n sobre la clave privada de un servidor (un ataque de filtrado de claves) o crear una firma ECDSA no v\u00e1lida que, no obstante, se considere v\u00e1lida. La actualizaci\u00f3n de la seguridad aborda la vulnerabilidad al corregir los bugs revelados en la implementaci\u00f3n de la ECC, tambi\u00e9n se conoce como \"MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability\"."
    }
  ],
  "id": "CVE-2020-1026",
  "lastModified": "2024-11-21T05:09:35.233",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-04-15T15:15:20.967",
  "references": [
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CERTFR-2020-AVI-225

Vulnerability from certfr_avis

De multiples vulnérabilités ont été corrigées dans les produits Microsoft. Elles permettent à un attaquant de provoquer une exécution de code à distance, une élévation de privilèges, une atteinte à la confidentialité des données, un contournement de la fonctionnalité de sécurité et une usurpation d'identité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	Microsoft Dynamics NAV 2018
Microsoft	N/A	ChakraCore
Microsoft	N/A	Dynamics 365 Business Central 2019 Release Wave 2 (On-Premise)
Microsoft	N/A	Microsoft Research JavaScript Cryptography Library V1.4
Microsoft	N/A	Microsoft Visio 2010 Service Pack 2 (éditions 64 bits)
Microsoft	N/A	Microsoft Visio 2013 Service Pack 1 (éditions 32 bits)
Microsoft	N/A	Microsoft Dynamics NAV 2017
Microsoft	N/A	Microsoft Dynamics NAV 2015
Microsoft	N/A	Microsoft Business Productivity Servers 2010 Service Pack 2
Microsoft	N/A	Microsoft System Center 2012 R2 Endpoint Protection
Microsoft	N/A	Microsoft Dynamics NAV 2013
Microsoft	N/A	Dynamics 365 Server, version 9.0 (on-premises)
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Microsoft	N/A	Microsoft System Center Endpoint Protection
Microsoft	N/A	Microsoft Visio 2016 (édition 64 bits)
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.0
Microsoft	N/A	Microsoft Security Essentials
Microsoft	N/A	Microsoft RMS Sharing pour Mac
Microsoft	N/A	Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8)
Microsoft	N/A	Microsoft Visio 2016 (édition 32 bits)
Microsoft	N/A	Microsoft Visual Studio 2015 Update 3
Microsoft	N/A	Microsoft Dynamics 365 BC On Premise
Microsoft	N/A	Microsoft Dynamics NAV 2016
Microsoft	N/A	Microsoft AutoUpdate pour Mac
Microsoft	N/A	Microsoft Your Phone Companion App pour Android
Microsoft	N/A	Microsoft Visio 2010 Service Pack 2 (éditions 32 bits)
Microsoft	N/A	Microsoft Visio 2013 Service Pack 1 (éditions 64 bits)
Microsoft	N/A	Microsoft Remote Desktop pour Mac
Microsoft	N/A	Microsoft Forefront Endpoint Protection 2010
Microsoft	N/A	Microsoft Visual Studio 2019 version 16.5
Microsoft	N/A	Dynamics 365 Business Central 2019 Spring Update
Microsoft	N/A	Microsoft System Center 2012 Endpoint Protection

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft du 14 avril 2020

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Dynamics NAV 2018",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "ChakraCore",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Dynamics 365 Business Central 2019 Release Wave 2 (On-Premise)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Research JavaScript Cryptography Library V1.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visio 2010 Service Pack 2 (\u00e9ditions 64 bits)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visio 2013 Service Pack 1 (\u00e9ditions 32 bits)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics NAV 2017",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics NAV 2015",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Business Productivity Servers 2010 Service Pack 2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft System Center 2012 R2 Endpoint Protection",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics NAV 2013",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Dynamics 365 Server, version 9.0 (on-premises)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft System Center Endpoint Protection",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visio 2016 (\u00e9dition 64 bits)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Security Essentials",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft RMS Sharing pour Mac",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visio 2016 (\u00e9dition 32 bits)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2015 Update 3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 BC On Premise",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics NAV 2016",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft AutoUpdate pour Mac",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Your Phone Companion App pour Android",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visio 2010 Service Pack 2 (\u00e9ditions 32 bits)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visio 2013 Service Pack 1 (\u00e9ditions 64 bits)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Remote Desktop pour Mac",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Forefront Endpoint Protection 2010",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Dynamics 365 Business Central 2019 Spring Update",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft System Center 2012 Endpoint Protection",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-0899",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-0899"
    },
    {
      "name": "CVE-2020-0984",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-0984"
    },
    {
      "name": "CVE-2020-0931",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-0931"
    },
    {
      "name": "CVE-2020-0760",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-0760"
    },
    {
      "name": "CVE-2020-1026",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-1026"
    },
    {
      "name": "CVE-2020-1018",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-1018"
    },
    {
      "name": "CVE-2020-0969",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-0969"
    },
    {
      "name": "CVE-2020-1002",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-1002"
    },
    {
      "name": "CVE-2020-1019",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-1019"
    },
    {
      "name": "CVE-2020-1022",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-1022"
    },
    {
      "name": "CVE-2020-1049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-1049"
    },
    {
      "name": "CVE-2020-1050",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-1050"
    },
    {
      "name": "CVE-2020-0919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-0919"
    },
    {
      "name": "CVE-2020-0970",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-0970"
    },
    {
      "name": "CVE-2020-0900",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-0900"
    },
    {
      "name": "CVE-2020-0943",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-0943"
    }
  ],
  "initial_release_date": "2020-04-15T00:00:00",
  "last_revision_date": "2020-04-15T00:00:00",
  "links": [],
  "reference": "CERTFR-2020-AVI-225",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-04-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Usurpation d\u0027identit\u00e9"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la fonctionnalit\u00e9 de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Microsoft\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code \u00e0 distance, une \u00e9l\u00e9vation\nde privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, un\ncontournement de la fonctionnalit\u00e9 de s\u00e9curit\u00e9 et une usurpation\nd\u0027identit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft du 14 avril 2020",
      "url": "https://portal.msrc.microsoft.com/fr-FR/security-guidance"
    }
  ]
}

gsd-2020-1026

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

Aliases

CVE-2020-1026

Aliases

CVE-2020-1026

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-1026",
    "description": "A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u00e2\u20ac\u2122s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u00e2\u20ac\u2122s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka \u0027MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability\u0027.",
    "id": "GSD-2020-1026"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-1026"
      ],
      "details": "A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u00e2\u20ac\u2122s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u00e2\u20ac\u2122s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka \u0027MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability\u0027.",
      "id": "GSD-2020-1026",
      "modified": "2023-12-13T01:21:57.537603Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secure@microsoft.com",
        "ID": "CVE-2020-1026",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Microsoft Research JavaScript Cryptography Library V1.4",
                    "version": {
                      "version_data": [
                        {
                          "version_value": ""
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Microsoft"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u00e2\u20ac\u2122s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u00e2\u20ac\u2122s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka \u0027MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability\u0027."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Security Feature Bypass"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026",
            "refsource": "MISC",
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.5.8",
          "affected_versions": "All versions before 1.5.8",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-200",
            "CWE-347",
            "CWE-937"
          ],
          "date": "2022-01-06",
          "description": "A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u00e2\u20ac\u2122s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u00e2\u20ac\u2122s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid. The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka \u0027MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability\u0027.",
          "fixed_versions": [
            "1.5.8"
          ],
          "identifier": "CVE-2020-1026",
          "identifiers": [
            "GHSA-9x9j-836w-8f55",
            "CVE-2020-1026"
          ],
          "not_impacted": "All versions starting from 1.5.8",
          "package_slug": "npm/msrcrypto",
          "pubdate": "2022-01-06",
          "solution": "Upgrade to version 1.5.8 or above.",
          "title": "Improper Verification of Cryptographic Signature",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-1026",
            "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026",
            "https://github.com/advisories/GHSA-9x9j-836w-8f55"
          ],
          "uuid": "24fa267d-05f0-4ee9-bd51-401f95eb6739"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:microsoft:research_javascript_cryptography_library:1.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2020-1026"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u00e2\u20ac\u2122s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u00e2\u20ac\u2122s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka \u0027MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability\u0027."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-200"
                },
                {
                  "lang": "en",
                  "value": "CWE-347"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "N/A",
              "refsource": "N/A",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-07-21T11:39Z",
      "publishedDate": "2020-04-15T15:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2020-1026 (GCVE-0-2020-1026)

Vulnerability from cvelistv5

ghsa-9x9j-836w-8f55

Vulnerability from github

fkie_cve-2020-1026

Vulnerability from fkie_nvd

CERTFR-2020-AVI-225

Vulnerability from certfr_avis

Solution

gsd-2020-1026

Vulnerability from gsd

Tags

Sightings

Nomenclature