CVE-2021-30130

Опубликовано: 06 апр. 2021

Источник: debian

EPSS Низкий

Описание

phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.

Пакет	Статус	Версия исправления	Тип
phpseclib	fixed	1.0.19-3	package
php-phpseclib	fixed	2.0.30-2	package
php-phpseclib3	fixed	3.0.7-1	package

https://github.com/phpseclib/phpseclib/pull/1635#issuecomment-826994890
Introduced by: https://github.com/phpseclib/phpseclib/commit/cc32cd2e95b18a0c0118bbf1928327675c9e64a9 (v3.0 / RSA::SIGNATURE_RELAXED_PKCS1)
Fixed by: https://github.com/phpseclib/phpseclib/commit/05550b9c490bf342bce66de75d127d2f75c48bdd (1.0.20, 2.0.31, 3.0.7)
Fixed by: https://github.com/phpseclib/phpseclib/commit/42fc46e9a92c2ce5b10d2fbfb00b630417d6dfbe (3.0.7)
According to upstream in #1635, "v2.0 does not have a vulnerability" (only non-security bugs).
However, a lot of identical fixes were applied to all 1.x/2.x/3.x branches upstream.
They were also backported in bullseye/testing in 1.x/2.x (claimed as a CVE-2021-30130 fix).
Given the broad scope of this CVE description, let's assume that those fixes are needed in 1.x/2.x.

EPSS

Процентиль: 42%

0.00201

Низкий

CVE-2021-30130

CVSS3: 7.5

ubuntu

больше 4 лет назад

phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.

CVE-2021-30130

CVSS3: 7.5

nvd

больше 4 лет назад

phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.

GHSA-vf4w-fg7r-5v94

CVSS3: 7.5

github

больше 4 лет назад

Improper Certificate Validation in phpseclib

ROS-20250818-03

CVSS3: 7.5

redos

21 день назад

Множественные уязвимости php-phpseclib

EPSS

Процентиль: 42%

0.00201

Низкий