CVE-2021-20305

Published: Apr 5, 2021Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.

Affected (8)

Products: Nettle Project: Nettle · Fedoraproject: Fedora · Redhat: Enterprise Linux · +2 more

Show all products

Nettle Project: Nettle · Fedoraproject: Fedora · Redhat: Enterprise Linux · Netapp: Active Iq Unified Manager, Ontap Select Deploy Administration Utility · Debian: Debian Linux

1 product

1 product

1 product

Enterprise Linux

2 products

Active Iq Unified Manager

Ontap Select Deploy Administration Utility

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nettle Project Nettle	Before 3.7.2

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 33
Redhat Enterprise Linux	Version 7.0
Redhat Enterprise Linux	Version 8.0

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Netapp Active Iq Unified Manager	All versions
Netapp Ontap Select Deploy Administration Utility	All versions

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Related CWEs

Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (12)

https://bugzilla.redhat.com/show_bug.cgi?id=1942533

Source: secalert@redhat.com

Issue TrackingPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQKWVVMAIDAJ7YAA3VVO32BHLDOH2E63/

Source: secalert@redhat.com

https://security.gentoo.org/glsa/202105-31

Source: secalert@redhat.com

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211022-0002/

Source: secalert@redhat.com

Third Party Advisory

https://www.debian.org/security/2021/dsa-4933

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1942533

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQKWVVMAIDAJ7YAA3VVO32BHLDOH2E63/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/202105-31

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211022-0002/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2021/dsa-4933

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.