The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature. Reference: https://github.com/indutny/elliptic/issues/226
Upstream commit: https://github.com/indutny/elliptic/commit/856fe4d99fe7b6200556e6400b3bf585b1721bec
External References: https://snyk.io/vuln/SNYK-JS-ELLIPTIC-571484
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13822
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:5533 https://access.redhat.com/errata/RHSA-2020:5533
Statement: In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana and prometheus containers don't use the vulnerable elliptic library for authentication (OpenShift OAuth is used) or traffic communications (OpenShift route is used). Therefore the impact for OCP and OSSM is Low. Red Hat Quay includes nodejs-elliptic as a dependency of webpack. That dependency is only used at development time, not runtime. Therefore this vulnerability is rated low for Red Hat Quay.