Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2022-24884

Опубликовано: 06 мая 2022
Источник: nvd
CVSS3: 10
CVSS3: 7.5
CVSS2: 5
EPSS Низкий

Описание

ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). ecdsa_verify_[prepare_]legacy() does not check whether the signature values r and s are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures. Requiring multiple signatures from different public keys does not mitigate the issue: ecdsa_verify_list_legacy() will accept an arbitrary number of such forged signatures. Both the ecdsautil verify CLI command and the libecdsautil library are affected. The issue has been fixed in ecdsautils 0.4.1. All older versions of ecdsautils (including versions before the split into a library and a CLI utility) are vulnerable.

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:ecdsautils_project:ecdsautils:*:*:*:*:*:*:*:*
Версия до 0.4.1 (исключая)
Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
Конфигурация 3

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

EPSS

Процентиль: 32%
0.00124
Низкий

10 Critical

CVSS3

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-347
CWE-347

Связанные уязвимости

ubuntu логотип

CVE-2022-24884

CVSS3: 10
ubuntu
почти 4 года назад

ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). `ecdsa_verify_[prepare_]legacy()` does not check whether the signature values `r` and `s` are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures. Requiring multiple signatures from different public keys does not mitigate the issue: `ecdsa_verify_list_legacy()` will accept an arbitrary number of such forged signatures. Both the `ecdsautil verify` CLI command and the libecdsautil library are affected. The issue has been fixed in ecdsautils 0.4.1. All older versions of ecdsautils (including versions before the split into a library and a CLI utility) are vulnerable.

debian логотип

CVE-2022-24884

CVSS3: 10
debian
почти 4 года назад

ecdsautils is a tiny collection of programs used for ECDSA (keygen, si ...

fstec логотип

BDU:2022-04276

CVSS3: 10
fstec
почти 4 года назад

Уязвимость функции ecdsa_verify_[prepare_]legacy() инструмента командной строки криптографии эллиптической кривой ECDSA ecdsautils, позволяющая нарушителю оказать воздействие на целостность данных

EPSS

Процентиль: 32%
0.00124
Низкий

10 Critical

CVSS3

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-347
CWE-347