Use of a Broken or Risky Cryptographic Algorithm

Affecting nettle package, versions <3.2-1ubuntu0.16.04.2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream nettle package. See Remediation section below for Ubuntu:16.04 relevant versions.

A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.

Remediation

Upgrade Ubuntu:16.04 nettle to version 3.2-1ubuntu0.16.04.2 or higher.

References

CVSS Score

8.1
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE
CVE-2021-20305
CWE
CWE-327
Snyk ID
SNYK-UBUNTU1604-NETTLE-1090731
Disclosed
05 Apr, 2021
Published
07 Apr, 2021