CVE-2021-20305

A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.

Published: Apr 6, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-20305
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-787

Affected Software
References

Software	From	Fixed in
nettle_project / nettle	-	3.7.2
redhat / enterprise_linux	7.0	7.0.x
redhat / enterprise_linux	8.0	8.0.x
fedoraproject / fedora	33	33.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x

Vulnerability Database

289,697

CVE-2021-20305