CVE-2020-13895

Опубликовано: 07 июн. 2020

Источник: nvd

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes to use public r and s values when guessing whether signature verification will fail.

Ссылки

https://github.com/FGasper/p5-Crypt-Perl/commit/f960ce75502acf7404187231a706672f8369acb2
Patch
Third Party Advisory
https://github.com/FGasper/p5-Crypt-Perl/issues/14
Third Party Advisory
https://github.com/FGasper/p5-Crypt-Perl/commit/f960ce75502acf7404187231a706672f8369acb2
Patch
Third Party Advisory
https://github.com/FGasper/p5-Crypt-Perl/issues/14
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:p5-crypt-perl_project:p5-crypt-perl:*:*:*:*:*:perl:*:*

Версия до 0.32 (исключая)

EPSS

Процентиль: 40%

0.00185

Низкий

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-347

Связанные уязвимости

CVE-2020-13895

CVSS3: 8.8

debian

больше 5 лет назад

Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module befor ...

GHSA-jxxc-m3fj-q52w

github

больше 3 лет назад