CVE-2021-20305

Name
CVE-2021-20305
Description
A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1942533
Third Party Advisory https://security.gentoo.org/glsa/202105-31
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQKWVVMAIDAJ7YAA3VVO32BHLDOH2E63/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nettle_project:nettle:*:*:*:*:*:*:*:* nettle >= None < 3.7.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nettle 3.13-main 3.7.2-r0 Fabian Affolter <fabian@affolter-engineering.ch> fixed
nettle 3.12-main 3.5.1-r1 Fabian Affolter <fabian@affolter-engineering.ch> possibly vulnerable
nettle 3.11-main 3.5.1-r0 Fabian Affolter <fabian@affolter-engineering.ch> possibly vulnerable
nettle 3.10-main 3.4.1-r1 Fabian Affolter <fabian@affolter-engineering.ch> possibly vulnerable
nettle 3.14-main 3.7.2-r0 Fabian Affolter <fabian@affolter-engineering.ch> fixed