How severe is CVE-2024-48948?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.8 out of 10.

What type of vulnerability is CVE-2024-48948?

This is classified as CWE-347, which is a common weakness in software security.

CVE-2024-48948 - MEDIUM Severity | CVSS 4.8

Vulnerability Description

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

Related Vulnerabilities

CVE-2017-18407

MEDIUM

CVSS:4.8(Medium)

cPanel before 67.9999.103 does not enforce SSL hostname verification for the support-agreement download (SEC-279).

CWE-3472017

CVE-2021-3521

MEDIUM

CVSS:4.7(Medium)

There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing th...

CWE-3472021

CVE-2023-36811

MEDIUM

CVSS:4.7(Medium)

borgbackup is an opensource, deduplicating archiver with compression and authenticated encryption. A flaw in the cryptographic authentication scheme in borgbackup allowed an attacker to fake archives ...

CWE-3472023

CVE-2020-3308

MEDIUM

CVSS:4.9(Medium)

A vulnerability in the Image Signature Verification feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker with administrator-level credentials to insta...

CWE-3472020

CVE-2021-1461

MEDIUM

CVSS:4.9(Medium)

A vulnerability in the Image Signature Verification feature of Cisco SD-WAN Software could allow an authenticated, remote attacker with Administrator-level credentials to install a malicious soft...

CWE-3472021

CVE-2016-8021

MEDIUM

CVSS:5.0(Medium)

Improper verification of cryptographic signature vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote authenticated users to spoof update server and exec...

CWE-3472016