Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-20305

Good to know:

icon

Date: April 5, 2021

A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.

Language: C

Severity Score

Related Resources (14)

https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQKWVVMAIDAJ7YAA3VVO32BHLDOH2E63/
https://access.redhat.com/security/cve/CVE-2021-20305
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQKWVVMAIDAJ7YAA3VVO32BHLDOH2E63/
https://security.gentoo.org/glsa/202105-31
https://security-tracker.debian.org/tracker/CVE-2021-20305
https://people.canonical.com/~ubuntu-security/cve/CVE-2021-20305
https://security.alpinelinux.org/vuln/CVE-2021-20305
https://nvd.nist.gov/vuln/detail/CVE-2021-20305
https://github.com/gnutls/nettle/commit/a63893791280d441c713293491da97c79c0950fe
https://security.netapp.com/advisory/ntap-20211022-0002/
https://bugzilla.redhat.com/show_bug.cgi?id=1942533
https://www.debian.org/security/2021/dsa-4933
https://www.mend.io/vulnerability-database/CVE-2021-20305

Severity Score

Weakness Type (CWE)

Out-of-bounds Write

CWE-787

Use of a Broken or Risky Cryptographic Algorithm

CWE-327

Top Fix

icon

Upgrade Version

Upgrade to version nettle_3.7.2_release_20210321

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us