{
  "threat_severity" : "Moderate",
  "public_date" : "2020-06-01T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures",
    "id" : "1848647",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1848647"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-190",
  "details" : [ "The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.", "The Elliptic for Node.js allows ECDSA signature malleability via variations in encoding, leading '\\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature." ],
  "statement" : "In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana and prometheus containers don't use the vulnerable elliptic library for authentication (OpenShift OAuth is used) or traffic communications (OpenShift route is used). Therefore the impact for OCP and OSSM is Low.\nRed Hat Quay includes nodejs-elliptic as a dependency of webpack. That dependency is only used at development time, not runtime. Therefore this vulnerability is rated low for Red Hat Quay.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.6",
    "release_date" : "2020-10-27T00:00:00Z",
    "advisory" : "RHSA-2020:4298",
    "cpe" : "cpe:/a:redhat:openshift:4.6::el8",
    "package" : "openshift4/ose-grafana:v4.6.0-202010061132.p0",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.6",
    "release_date" : "2020-10-27T00:00:00Z",
    "advisory" : "RHSA-2020:4298",
    "cpe" : "cpe:/a:redhat:openshift:4.6::el8",
    "package" : "openshift4/ose-prometheus:v4.6.0-202009290409.p0",
    "impact" : "low"
  }, {
    "product_name" : "Text-Only RHSSO",
    "release_date" : "2020-12-15T00:00:00Z",
    "advisory" : "RHSA-2020:5533",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on",
    "package" : "nodejs"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 1",
    "fix_state" : "Fix deferred",
    "package_name" : "servicemesh-grafana",
    "cpe" : "cpe:/a:redhat:service_mesh:1",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "golang-github-prometheus-promu",
    "cpe" : "cpe:/a:redhat:openshift:4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Fix deferred",
    "package_name" : "quay/quay-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Affected",
    "package_name" : "nodejs",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-13822\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-13822\nhttps://snyk.io/vuln/SNYK-JS-ELLIPTIC-571484" ],
  "name" : "CVE-2020-13822",
  "csaw" : false
}