Sm Crypto
Monthly
Sm-Crypto versions up to 0.3.14. is affected by improper verification of cryptographic signature (CVSS 7.5).
The sm-crypto JavaScript library has a private key recovery vulnerability in its SM2 implementation, allowing attackers to extract secret keys from signatures.
SM2 signature forgery in sm-crypto prior to version 0.4.0 allows unauthenticated attackers to create valid signatures for arbitrary public keys, potentially enabling message authentication bypass in applications using the library's default configuration. An attacker can also manipulate message prefixes to meet specific formatting constraints when sufficient redundancy exists in the message space. A patch is available in version 0.4.0 and later.
Sm-Crypto versions up to 0.3.14. is affected by improper verification of cryptographic signature (CVSS 7.5).
The sm-crypto JavaScript library has a private key recovery vulnerability in its SM2 implementation, allowing attackers to extract secret keys from signatures.
SM2 signature forgery in sm-crypto prior to version 0.4.0 allows unauthenticated attackers to create valid signatures for arbitrary public keys, potentially enabling message authentication bypass in applications using the library's default configuration. An attacker can also manipulate message prefixes to meet specific formatting constraints when sufficient redundancy exists in the message space. A patch is available in version 0.4.0 and later.