Vulnerability Details : CVE-2021-20305
A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.
Vulnerability category: Memory Corruption
Products affected by CVE-2021-20305
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:nettle_project:nettle:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-20305
0.96%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-20305
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2021-20305
-
The product uses a broken or risky cryptographic algorithm or protocol.Assigned by: secalert@redhat.com (Secondary)
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-20305
-
https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html
[SECURITY] [DLA 2760-1] nettle security updateMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQKWVVMAIDAJ7YAA3VVO32BHLDOH2E63/
[SECURITY] Fedora 33 Update: gnutls-3.6.16-1.fc33 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://www.debian.org/security/2021/dsa-4933
Debian -- Security Information -- DSA-4933-1 nettleThird Party Advisory
-
https://security.gentoo.org/glsa/202105-31
Nettle: Denial of service (GLSA 202105-31) — Gentoo securityThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20211022-0002/
CVE-2021-20305 Nettle Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1942533
1942533 – (CVE-2021-20305) CVE-2021-20305 nettle: Out of Bound memory access in signature verificationIssue Tracking;Patch;Third Party Advisory
Jump to